VPNGoupCom Herkes çevrimiçi güvenlik ve gizlilik konusunda endişe ve kişisel bilgilerini ve tarama alışkanlıkları ortaya istemiyoruz, VPN harika bir çözüm
[Narrator] Hi, I'mMatt from Duo Safety.
In this particular video clip, I am goingto tell you about how to guard your Cisco ASA SSL VPN logins with Duo.
In the set up course of action, you'll use the Cisco Adaptive SecurityDevice Supervisor, or ASDM.
In advance of looking at thisvideo, be sure you reference the documentation forinstalling this configuration at duo.
com/docs/cisco.
Take note that this configuration supports inline self-serviceenrollment and the Duo Prompt.
Our alternate RADIUS-basedCisco configuration delivers supplemental options which includes configurable failmodes, IP deal with-based mostly procedures and autopush authentication, but doesn't assist the Duo Prompt.
Read about that configurationat duo.
com/docs/cisco-alt.
Initially, Be certain that Duo is suitable using your Cisco ASA product.
We aid ASA firmwareversion 8.
3 or later on.
You'll be able to Test whichversion with the ASA firmware your unit is utilizing by logginginto the ASDM interface.
Your firmware Model will likely be stated in the Product Informationbox beside ASA Model.
Additionally, you must have a Doing the job Principal authentication configurationfor your SSL VPN buyers, including LDAP authenticationto Active Directory.
(gentle songs) To get rolling with theinstallation course of action, log in to your Duo Admin Panel.
During the Admin Panel, click Purposes.
Then click on Protect an Software.
Key in “cisco”.
Next to the entry for Cisco SSL VPN, click on Guard this Application, which can take you to the newapplication's Houses web site.
At the top of the website page, click on the backlink to down load the Duo Cisco zip bundle.
Observe that this file incorporates facts distinct for your application.
Unzip it someplace convenientand easy to access, like your desktop.
Then click on the backlink to open the Duo for Cisco documentation.
Hold equally the documentationand properties internet pages open up when you carry on in the setup approach.
Just after producing the applicationin the Duo Admin panel and downloading the zip deal, you need to modify thesign-in page for your personal VPN.
Go surfing for your Cisco ASDM.
Simply click the configuration tab after which you can click on RemoteAccess VPN within the still left menu.
Navigate to Clientless SSL VPNAccess, Portal, World wide web Contents.
Click Import.
Inside the Supply section, pick Regional Pc, and click on Look through Neighborhood Information.
Find the Duo-Cisco-[VersionNumber].
js file you extracted through the zip bundle.
Immediately after you choose the file, it is going to show up inside the Website Path box.
Within the Place section, under Involve authenticationto accessibility its written content?, select the radio button beside No.
Simply click Import Now.
Navigate to Clientless SSL VPN Accessibility, Portal, Customization.
Choose the CustomizationObject you wish to modify.
For this movie, We'll use the default customization template.
Click Edit.
Inside the define menu within the left, underneath Logon Web page, simply click Title Panel.
Duplicate the string offered in step 9 of the Modify the signal-in site portion about the Duo Cisco documentationand paste it while in the text box.
Exchange “X” Together with https://vpngoup.com the fileversion you downloaded.
In such a case, it truly is “6”.
Click on Okay, then simply click Utilize.
Now you might want to add the Duo LDAP server.
Navigate to AAA/LocalUsers, AAA Server Groups.
During the AAA Server Groupssection at the top, click on Include.
Inside the AAA Server Groupfield, key in Duo-LDAP.
Inside the Protocol dropdown, find LDAP.
More moderen variations of the ASA firmware demand you to offer a realm-id.
In this example, We'll use “one”.
Click on Alright.
Pick the Duo-LDAP team you just extra.
During the Servers from the SelectedGroup segment, simply click Include.
During the Interface Title dropdown, opt for your external interface.
It could be identified as outdoors.
Within the Server Title or IP tackle industry, paste the API hostname out of your application's properties website page inside the Duo Admin Panel.
Set the Timeout to 60 seconds.
This will permit your usersenough time all through login to respond to the Duo two-factor ask for.
Examine Help LDAP above SSL.
Set Server Style to DetectAutomatically/Use Generic Kind.
In the Base DN subject, enter dc= then paste your integration key from your programs' Qualities webpage during the Duo Admin Panel.
After that, kind , dc=duosecurity, dc=com Established Scope to One levelbeneath The bottom DN.
During the Naming Attributes subject, sort cn.
Within the Login DN discipline, copyand paste the knowledge in the Foundation DN area you entered earlier mentioned.
During the Login Password area, paste your software's top secret crucial through the Homes pagein the Duo Admin Panel.
Click Okay, then click Apply.
Now configure the Duo LDAP server.
From the remaining sidebar, navigate to Clientless SSL VPNAccess, Relationship Profiles.
Less than Relationship Profiles, select the connectionprofile you need to modify.
For this video, we will usethe DefaultWEBVPNGroup.
Simply click Edit.
From the left menu, under Sophisticated, pick out Secondary Authentication.
Pick Duo-LDAP in the Server Team checklist.
Uncheck the Use Area ifServer Group fails box.
Examine the box for Use Principal username.
Simply click Okay, then click on Implement.
If any of one's end users log in via desktop or cell AnyConnect shoppers, You'll have to improve the AnyConnectauthentication timeout with the default twelve seconds, in order that people have adequate the perfect time to useDuo Force or phone callback.
From the left sidebar, navigateto Network (Shopper) Entry, AnyConnect Customer Profile.
Choose your AnyConnect consumer profile.
Click on Edit.
During the left menu, navigateto Tastes (Component 2).
Scroll for the bottomof the web site and change the Authentication Timeout(seconds) placing to sixty.
Click on Okay, then click on Utilize.
With every thing configured, it's now time to test your set up.
In an online browser, navigate on your Cisco ASA SSL VPN service URL.
Enter your username and password.
After you complete Principal authentication, the Duo Prompt appears.
Employing this prompt, consumers can enroll in Duo or comprehensive two-component authentication.
Due to the fact this person has alreadybeen enrolled in Duo, you can choose Mail Me a Force, Simply call Me, or Enter a Passcode.
Select Ship Me a Drive to send a Duo thrust notificationto your smartphone.
In your cell phone, open up the notification, tap the inexperienced button toaccept, and you're logged in.
Be aware that when usingthe AnyConnect client, end users will see a second password subject.
This area accepts thename of the Duo element, for instance force or telephone, or a Duo passcode.
On top of that, the AnyConnectclient will likely not update towards the enhanced sixty second timeout right up until a successful authentication is designed.
It is usually recommended which you use a passcode for your personal next component tocomplete your first authentication immediately after updating the AnyConnect timeout.
You've got effectively setupDuo two-element authentication in your Cisco ASA SSL VPN.