VPNGoupCom Herkes çevrimiçi güvenlik ve gizlilik konusunda endişe ve kişisel bilgilerini ve tarama alışkanlıkları ortaya istemiyoruz, VPN harika bir çözüm
[Narrator] Hi, I'mMatt from Duo Stability.
On this video clip, I'm goingto tell you about how to protect your Cisco ASA SSL VPN logins with Duo.
Over the set up procedure, you will utilize the Cisco Adaptive SecurityDevice Manager, or ASDM.
Just before watching thisvideo, you'll want to reference the documentation forinstalling this configuration at duo.
com/docs/cisco.
Note that this configuration supports inline self-serviceenrollment and also the Duo Prompt.
Our alternate RADIUS-basedCisco configuration gives supplemental capabilities together with configurable failmodes, IP address-dependent policies and autopush authentication, but doesn't aid the Duo Prompt.
Read about that configurationat duo.
com/docs/cisco-alt.
Initial, Be sure that Duo is suitable with all your Cisco ASA system.
We help ASA firmwareversion eight.
3 or later on.
You may Check out whichversion on the ASA firmware your machine is making use of by logginginto the ASDM interface.
Your firmware version will be listed during the Machine Informationbox close to ASA Model.
In addition, you needs to have a Operating Main authentication configurationfor your SSL VPN people, for example LDAP authenticationto Active Directory.
(gentle new music) To get rolling with theinstallation procedure, log in on the Duo Admin Panel.
While in the Admin Panel, click Apps.
Then simply click Guard an Software.
Type in “cisco”.
Next to the entry for Cisco SSL VPN, click on Safeguard this Software, which can take you towards your newapplication's Qualities site.
At the top of the page, click the website link to obtain the Duo Cisco zip package.
Observe that this file is made up of facts unique to the application.
Unzip it somewhere convenientand straightforward to obtain, like your desktop.
Then click on the website link to open up the Duo for Cisco documentation.
Preserve the two the documentationand properties webpages open up as you carry on throughout the setup method.
Right after developing the applicationin the Duo Admin panel and downloading the zip package, you have to modify thesign-in page in your VPN.
Go browsing to the Cisco ASDM.
Simply click the configuration tab and then click on RemoteAccess VPN in the still left menu.
Navigate to Clientless SSL VPNAccess, Portal, Net Contents.
Simply click Import.
In the Resource section, decide on Community Laptop or computer, and click on Search Regional Information.
Track down the Duo-Cisco-[VersionNumber].
js file you extracted with the zip offer.
Following you select the file, it'll show up within the Website Path box.
In the Place segment, under Need authenticationto obtain its content material?, pick the radio button next to No.
Click on Import Now.
Navigate to Clientless SSL VPN Accessibility, Portal, Customization.
Find the CustomizationObject you should modify.
For this video clip, We're going to make use of the default customization template.
Click Edit.
During the define menu within the remaining, under Logon Website page, simply click Title Panel.
Copy the string provided in move nine in the Modify the indication-in site portion about the Duo Cisco documentationand paste it within the textual content box.
Change “X” With all the fileversion you downloaded.
In this case, it really is “six”.
Click on OK, then click on Apply.
Now you need to insert the Duo LDAP server.
Navigate to AAA/LocalUsers, AAA Server Groups.
While in the AAA Server Groupssection at the very best, simply click Add.
While in the AAA Server Groupfield, type in Duo-LDAP.
Within the Protocol dropdown, select LDAP.
Newer versions in the ASA firmware call for you to provide a realm-id.
In this instance, we will use “1”.
Click on Alright.
Pick the Duo-LDAP group you simply additional.
From the Servers in the SelectedGroup section, click on Add.
During the Interface Identify dropdown, opt for your exterior interface.
It could be identified as outside.
Inside the Server Identify or IP tackle subject, paste the API hostname from your application's Qualities page in the Duo Admin Panel.
Established the Timeout to 60 seconds.
This will permit your usersenough time throughout login to reply to the Duo two-issue request.
Look at Allow LDAP about SSL.
Set Server Variety to DetectAutomatically/Use Generic Type.
In The bottom DN industry, enter dc= then paste your integration key within the programs' Homes web page in the Duo Admin Panel.
Following that, form , dc=duosecurity, dc=com Established Scope to https://vpngoup.com at least one levelbeneath The bottom DN.
Within the Naming Attributes subject, form cn.
During the Login DN field, copyand paste the knowledge in the Foundation DN industry you entered previously mentioned.
Inside the Login Password area, paste your application's top secret vital in the Attributes pagein the Duo Admin Panel.
Click on Okay, then click Apply.
Now configure the Duo LDAP server.
While in the remaining sidebar, navigate to Clientless SSL VPNAccess, Connection Profiles.
Less than Relationship Profiles, find the connectionprofile you want to modify.
For this video, We'll usethe DefaultWEBVPNGroup.
Simply click Edit.
Inside the left menu, below Innovative, choose Secondary Authentication.
Decide on Duo-LDAP from the Server Group list.
Uncheck the Use Community ifServer Team fails box.
Look at the box for Use Principal username.
Click OK, then click Apply.
If any of the people log in via desktop or mobile AnyConnect customers, you'll need to improve the AnyConnectauthentication timeout within the default twelve seconds, so that users have ample time for you to useDuo Press or mobile phone callback.
From the left sidebar, navigateto Network (Client) Accessibility, AnyConnect Customer Profile.
Decide on your AnyConnect client profile.
Click Edit.
Inside the still left menu, navigateto Preferences (Aspect 2).
Scroll for the bottomof the site and alter the Authentication Timeout(seconds) placing to sixty.
Click on Okay, then click on Apply.
With everything configured, it is now time to check your setup.
In an online browser, navigate on your Cisco ASA SSL VPN services URL.
Enter your username and password.
Once you comprehensive Main authentication, the Duo Prompt appears.
Working with this prompt, end users can enroll in Duo or total two-factor authentication.
Considering the fact that this consumer has alreadybeen enrolled in Duo, you could pick Send Me a Force, Simply call Me, or Enter a Passcode.
Find Send Me a Thrust to deliver a Duo drive notificationto your smartphone.
In your cellular phone, open the notification, faucet the green button toaccept, and you're logged in.
Take note that when usingthe AnyConnect shopper, buyers will see a 2nd password area.
This subject accepts thename of the Duo variable, for instance force or phone, or even a Duo passcode.
Furthermore, the AnyConnectclient will likely not update on the enhanced sixty 2nd timeout until eventually a successful authentication is manufactured.
It is recommended that you simply use a passcode in your 2nd component tocomplete your very first authentication immediately after updating the AnyConnect timeout.
You may have effectively setupDuo two-element authentication for the Cisco ASA SSL VPN.