VPNGoupCom Herkes çevrimiçi güvenlik ve gizlilik konusunda endişe ve kişisel bilgilerini ve tarama alışkanlıkları ortaya istemiyoruz, VPN harika bir çözüm
[Narrator] Hello, I'mMatt from Duo Security.
With this online video, I'm goingto demonstrate how to safeguard your Cisco ASA SSL VPN logins with Duo.
In the course of the https://vpngoup.com setup approach, you may utilize the Cisco Adaptive SecurityDevice Manager, or ASDM.
Ahead of seeing thisvideo, be sure you reference the documentation forinstalling this configuration at duo.
com/docs/cisco.
Be aware that this configuration supports inline self-serviceenrollment along with the Duo Prompt.
Our alternate RADIUS-basedCisco configuration gives added characteristics including configurable failmodes, IP handle-centered insurance policies and autopush authentication, but does not aid the Duo Prompt.
Read about that configurationat duo.
com/docs/cisco-alt.
1st, Make certain that Duo is suitable together with your Cisco ASA system.
We help ASA firmwareversion 8.
three or afterwards.
You'll be able to check whichversion of your ASA firmware your system is working with by logginginto the ASDM interface.
Your firmware version is going to be listed inside the Machine Informationbox next to ASA Variation.
Furthermore, you have to have a Doing the job Main authentication configurationfor your SSL VPN users, like LDAP authenticationto Lively Directory.
(light-weight songs) To begin with theinstallation course of action, log in towards the Duo Admin Panel.
From the Admin Panel, click on Applications.
Then click on Defend an Application.
Type in “cisco”.
Beside the entry for Cisco SSL VPN, click on Guard this Application, which normally takes you towards your newapplication's Houses page.
At the very best of the webpage, click the backlink to obtain the Duo Cisco zip package.
Take note this file contains details particular for your software.
Unzip it someplace convenientand easy to entry, like your desktop.
Then click on the hyperlink to open the Duo for Cisco documentation.
Keep the two the documentationand Houses internet pages open up when you continue through the set up method.
Immediately after creating the applicationin the Duo Admin panel and downloading the zip bundle, you might want to modify thesign-in site for your VPN.
Go browsing in your Cisco ASDM.
Simply click the configuration tab after which you can click on RemoteAccess VPN in the still left menu.
Navigate to Clientless SSL VPNAccess, Portal, Net Contents.
Click Import.
During the Source portion, pick Regional Laptop or computer, and click Look through Community Files.
Identify the Duo-Cisco-[VersionNumber].
js file you extracted in the zip bundle.
Right after you choose the file, it'll appear within the Web Content Path box.
Within the Place area, less than Involve authenticationto access its content material?, select the radio button close to No.
Click on Import Now.
Navigate to Clientless SSL VPN Obtain, Portal, Customization.
Pick out the CustomizationObject you would like to modify.
For this movie, We're going to utilize the default customization template.
Click Edit.
While in the outline menu about the still left, beneath Logon Site, simply click Title Panel.
Duplicate the string furnished in stage 9 of the Modify the indicator-in website page portion about the Duo Cisco documentationand paste it in the textual content box.
Replace “X” Together with the fileversion you downloaded.
In such a case, it truly is “6”.
Simply click OK, then click Use.
Now you need to add the Duo LDAP server.
Navigate to AAA/LocalUsers, AAA Server Teams.
During the AAA Server Groupssection at the highest, click Add.
While in the AAA Server Groupfield, type in Duo-LDAP.
Inside the Protocol dropdown, find LDAP.
Newer versions with the ASA firmware require you to provide a realm-id.
In this instance, we will use “1”.
Simply click Alright.
Select the Duo-LDAP group you just included.
From the Servers in the SelectedGroup section, simply click Insert.
From the Interface Name dropdown, choose your external interface.
It might be identified as outside the house.
Inside the Server Title or IP handle area, paste the API hostname from a software's properties web page in the Duo Admin Panel.
Established the Timeout to sixty seconds.
This enables your usersenough time for the duration of login to reply to the Duo two-issue request.
Examine Permit LDAP around SSL.
Set Server Form to DetectAutomatically/Use Generic Type.
In The bottom DN field, enter dc= then paste your integration key with the apps' Houses site from the Duo Admin Panel.
Following that, type , dc=duosecurity, dc=com Set Scope to One levelbeneath the Base DN.
From the Naming Attributes discipline, style cn.
While in the Login DN industry, copyand paste the data with the Foundation DN area you entered above.
Within the Login Password industry, paste your application's top secret critical within the Houses pagein the Duo Admin Panel.
Simply click OK, then click on Implement.
Now configure the Duo LDAP server.
While in the left sidebar, navigate to Clientless SSL VPNAccess, Connection Profiles.
Under Link Profiles, pick the connectionprofile you would like to modify.
For this video, We're going to usethe DefaultWEBVPNGroup.
Click on Edit.
Inside the still left menu, less than State-of-the-art, pick out Secondary Authentication.
Pick Duo-LDAP inside the Server Group record.
Uncheck the Use Neighborhood ifServer Team fails box.
Look at the box to be used Major username.
Click on Okay, then simply click Utilize.
If any within your consumers log in by way of desktop or mobile AnyConnect shoppers, you'll need to improve the AnyConnectauthentication timeout in the default twelve seconds, in order that consumers have ample time for you to useDuo Thrust or telephone callback.
While in the remaining sidebar, navigateto Community (Consumer) Access, AnyConnect Client Profile.
Pick your AnyConnect client profile.
Click on Edit.
In the remaining menu, navigateto Choices (Aspect 2).
Scroll to your bottomof the website page and change the Authentication Timeout(seconds) placing to 60.
Click Okay, then click Use.
With every little thing configured, now it is time to test your setup.
In an online browser, navigate to your Cisco ASA SSL VPN assistance URL.
Enter your username and password.
After you entire Main authentication, the Duo Prompt seems.
Utilizing this prompt, end users can enroll in Duo or entire two-factor authentication.
Considering that this person has alreadybeen enrolled in Duo, it is possible to select Send Me a Push, Connect with Me, or Enter a Passcode.
Pick Mail Me a Force to mail a Duo force notificationto your smartphone.
In your cellular phone, open up the notification, faucet the environmentally friendly button toaccept, so you're logged in.
Notice that when usingthe AnyConnect client, people will see a second password discipline.
This subject accepts thename of a Duo component, for instance force or cellphone, or a Duo passcode.
In addition, the AnyConnectclient will not update on the increased 60 2nd timeout right up until An effective authentication is built.
It is recommended which you use a passcode for your 2nd variable tocomplete your first authentication soon after updating the AnyConnect timeout.
You've got correctly setupDuo two-component authentication in your Cisco ASA SSL VPN.