Preamble

A user's status can be set as Bypass in the Duo Admin Panel (to bypass 2FA), but as an exercise we can also use Duo's Auth Proxy along side a separate authentication server in an environment with Duo 2FA users and non-2FA users.

The end result is the same, end-users only have to type their credentials and they get a push, other flags such as phone are used as fallback in the event that the push isn't working (e.g. poor cell reception, etc).

Example, in an AD environment;

  • One tunnel-group that uses the DUO Auth Proxy tied to Duo's RADIUS application (not Cisco RADIUS VPN); for the LDAP integration configure appropriate values for search_dn and security_group_dn in the /opt/duoauthproxy/conf/authproxy.cfg file to specify an AD security group whose members are 2FA users.

  • Another tunnel-group that points to another authentication server server; e.g. NPS server with a RADIUS policy pointing to a different AD security group for non-2FA users.

Both tunnel-group aliases will show up in the Anyconnect client, but users will only be able to auth to the AD security group mapped to their respective tunnel-group; providing that the user account isn't in both security groups.

Group policy and webvpn config;

Internal DNS server 10.31.254.51
Internal domain domain.local
group-policy GP-ANYCONNECT internal
group-policy GP-ANYCONNECT attributes
    dns-server value 10.31.254.51
    vpn-simultaneous-logins 5
    vpn-tunnel-protocol ssl-client 
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value split-tunnel
    default-domain value domain.local
    split-dns value domain.local
!
webvpn
    enable outside
    anyconnect image disk0:/anyconnect-win-4.6.01098-webdeploy-k9.pkg 1 regex "Windows NT"
    anyconnect image disk0:/anyconnect-linux64-4.6.01098-webdeploy-k9.pkg 2 regex "Linux"
    anyconnect enable
    tunnel-group-list enable
    cache
    disable
    error-recovery disable

For Duo;

Duo Auth Proxy server 10.31.255.11

The TG-DUO tunnel-group is configured to use the AAA-DUO aaa-server(s). The timeout is bumped up a bit here to deal with potential latency with the push message.

tunnel-group TG-DUO type remote-access
tunnel-group TG-DUO general-attributes
    address-pool VPN_POOL
    authentication-server-group AAA-DUO
    default-group-policy GP_ANYCONNECT
tunnel-group DUO webvpn-attributes
    group-alias AnyConnect disable
    group-alias "AnyConnect VPN - Duo" enable
!
aaa-server AAA-DUO protocol radius
aaa-server AAA-DUO (inside) host 10.31.255.11
    timeout 90
    key *****

For non-2FA;

Internal NPS server 10.31.255.12

The TG-NPS tunnel-group is configured to use the AAA-NPS aaa-server(s). Example assumes NPS role is running on a separate server; i.e. not the DC.

tunnel-group TG-NPS type remote-access
tunnel-group TG-NPS general-attributes
    address-pool VPN_POOL
    authentication-server-group AAA-NPS
    default-group-policy GP_ANYCONNECT
tunnel-group TG-NPS webvpn-attributes
    group-alias AnyConnect disable
    group-alias "AnyConnect VPN - non-2FA" enable
aaa-server AAA-NPS protocol radius
aaa-server AAA-NPS (inside) host 10.31.255.12
    key *****