Security System Engineer
silviu.sirbu@alef.com
About Cisco DUO Security
With Cisco Duo, securing your entire organization has never been easier. Cisco Duo’s user directory, flexible authentication options, including passwordless authentication, single sign-on (SSO), granular policy engine, identity automation capabilities, and AI identity analytics deploy fast in any environment. Duo helps keep companies safer than ever before with minimal downtime and optimized productivity.
If the answer is yes then you can use Active Directory Sync (sometimes called directory synchronization) to keep identities in sync:
With AD sync, Duo knows which accounts exist and can enforce MFA (multi factor authentication) for those users.
Because it bridges Cisco Duo cloud with legacy systems that do not natively support SAML / OIDC (e.g. RADIUS, LDAP, Active Directory, VPNs). No worries about confidentiality as the communication between the two systems is encrypted.
Your company has employed two external people as contractors so they can perform software development activities alongside with the internal team by connecting through the remote access VPN service to the internal resources. The company wants to protect resources and identities from vector attacks like credential theft & phishing through Duo MFA and SSO (single sign-on).
1. In the Duo Admin Panel, from the menu on the left, click Applications > Application Catalog . Click +Add under the Cisco Firepower Threat Defense VPN (SSO) application tile.
2. Locate the Service Provider section. In the Cisco Firepower Base URL field, enter vpn.dcloud.local (the URL for the existing Firewall Threat Defense VPN head-end). In the Connection Profile Name field, enter TG-RAVPN (the existing Tunnel group for VPN on Firewall Threat Defense).
3. Login to Secure Firewall Management Center (FMC) using the admin account. In Firewall Management Center, click Devices > Certificates.
4. Create a trust relationship between the Service Provider (Secure Firepower Management Center) and IdP Duo Cloud by Adding Certificate Enrollment as IdP CA
5. From Objects -> Single Sign-on Server -> Add Single Sign-on Server.
Add the parameters offered by DUO cloud in order to successfully connect via API keys.
6. From Devices -> Remote Access -> Advanced select Default-External-Browser Package.
7. Edit the Connection Profile TG-RAVPN so that the new authentication method is now SAML and authentication server Duo_SSO.
In today's digital landscape, organizations are continually seeking ways to enhance security while simplifying user experiences. One key decision in this journey is determining how users enroll in authentication services—either by requiring a password or adopting a passwordless approach.
Enrolling with a password remains a traditional method, offering a familiar layer of security. However, passwordless continues to gain traction as it minimizes friction and enhances user convenience by eliminating the need for password management.
A complete passwordless experience leverages robust authentication methods to ensure secure access without the traditional password. This approach not only strengthens security by reducing an organization's attack surface, but it also streamlines the user experience by removing barriers to access.
Duo's flexible enrollment options for primary and secondary authentication allows organizations to tailor their identity management strategies, balancing security requirements with user-friendly authentication.
1. From Policies -> User Enrollment and Account Management -> Add Policy.
2. Apply user group policy.
3. Custom policy applied to Contractors group.
1. Create a user manually.
2. Follow the enrollment link and generate the code.
3. Use a security key to verify the identity.
4. Create the passkey stored on the security key.
5. Add a PIN and you’re good to go!
6. Verify enrollment for the remote contractor user.
7. Open the Cisco Secure Client and follow the normal vpn login operation:
8. You will get the redirection to Duo Identity Provider login:
9. Authenticate user using security key
10. User is successfully authenticated.
1. Follow the enrollment link and generate the code for AD synced user bob.
2. Add the enrollment code for on-site contractor bob:
3. Add the password as a first factor in the authentication process.
4. Add the second factor with Duo Mobile verification code.
5. Scan the QR code for Duo Mobile App enrollment.
6. Setup is now complete.
7. Verify authentication for on-site contractor user “bob” . Connect to the vpn through Cisco Secure Client . Duo IdP will prompt you with the username so the authentication process can start.
8. First factor provided.
9. Enter code in Duo Mobile.
10. Login succeded!
