VPNGoupCom Herkes çevrimiçi güvenlik ve gizlilik konusunda endişe ve kişisel bilgilerini ve tarama alışkanlıkları ortaya istemiyoruz, VPN harika bir çözüm
[Narrator] Hello, I'mMatt from Duo Security.
In this particular online video, I am goingto explain to you how to safeguard your Cisco ASA SSL VPN logins with Duo.
Through the setup course of action, you might use the Cisco Adaptive SecurityDevice Manager, or ASDM.
In advance of watching thisvideo, you'll want to reference the documentation forinstalling this configuration at duo.
com/docs/cisco.
Notice this configuration supports inline self-serviceenrollment and the Duo Prompt.
Our alternate RADIUS-basedCisco configuration delivers more functions such as configurable failmodes, IP deal with-based mostly guidelines and autopush authentication, but isn't going to aid the Duo Prompt.
Read about that configurationat duo.
com/docs/cisco-alt.
First, Make certain that Duo is appropriate using your Cisco ASA system.
We help ASA firmwareversion eight.
three or later.
You can check whichversion with the ASA firmware your gadget is utilizing by logginginto the ASDM interface.
Your firmware Variation will be detailed while in the Gadget Informationbox next to ASA Variation.
In addition, you will need to have a Operating Most important authentication configurationfor your SSL VPN consumers, for example LDAP authenticationto Lively Directory.
(mild music) To begin with theinstallation approach, log in into the Duo Admin Panel.
In the Admin Panel, click on Applications.
Then click on Guard an Application.
Key in “cisco”.
Beside the entry for Cisco SSL VPN, click on Defend this Software, which usually takes you in your newapplication's properties web page.
At the very best of this web site, click on the connection to down load the Duo Cisco zip offer.
Note this file is made up of information unique on your software.
Unzip it someplace convenientand straightforward to entry, like your desktop.
Then click on the website link to open the Duo for Cisco documentation.
Retain both of those the documentationand Houses internet pages open up while you go on from the set up procedure.
After creating the applicationin the Duo Admin panel and downloading the zip bundle, you must modify thesign-in site for your VPN.
Go online to your Cisco ASDM.
Simply click the configuration tab and after that click RemoteAccess VPN in the still left menu.
Navigate to Clientless SSL VPNAccess, Portal, Website Contents.
Click on Import.
Inside the Resource segment, decide on Regional Personal computer, and click on Look through Area Information.
Find the Duo-Cisco-[VersionNumber].
js file you extracted from your zip package.
Right after you select the file, it will eventually seem inside the Web page Route box.
In the Vacation spot segment, less than Have to have authenticationto entry its material?, choose the radio button next to No.
Click Import Now.
Navigate to Clientless SSL VPN Obtain, Portal, Customization.
Pick the CustomizationObject you should modify.
For this video clip, We are going to utilize the default customization template.
Click on Edit.
In the outline menu to the left, under Logon Webpage, click Title Panel.
Copy the string furnished in stage 9 in the Modify the signal-in website page part around the Duo Cisco documentationand paste it inside the textual content box.
Switch “X” Together with the fileversion you downloaded.
In this instance, it is actually “six”.
Simply click Okay, then simply click Utilize.
Now you'll want to add the Duo LDAP server.
Navigate to AAA/LocalUsers, AAA Server Teams.
From the AAA Server Groupssection at the best, click on Include.
Inside the AAA Server Groupfield, type in Duo-LDAP.
While in the Protocol dropdown, choose LDAP.
Newer versions from the ASA firmware have to have you to provide a realm-id.
In this example, We're going to use “one”.
Simply click Okay.
Select the Duo-LDAP group you simply included.
While in the Servers within the SelectedGroup segment, click Include.
From the Interface Title dropdown, pick your exterior interface.
It might be called outside.
Inside the Server Identify or IP handle field, paste the API hostname out of your application's Houses page while in the Duo Admin Panel.
Established the Timeout to 60 seconds.
This will permit your usersenough time through login to answer the Duo two-factor ask for.
Look at Allow LDAP in excess of SSL.
Established Server Kind to DetectAutomatically/Use Generic Type.
In the Base DN field, enter dc= then paste your integration key from the purposes' Houses website page while in the Duo Admin Panel.
After that, style , dc=duosecurity, dc=com Established Scope to at least one levelbeneath the Base DN.
Within the Naming Characteristics industry, kind cn.
From the Login DN discipline, copyand paste the information in the Foundation DN field you entered earlier mentioned.
Inside the Login Password subject, paste your software's solution crucial in the Attributes pagein the Duo Admin Panel.
Click Alright, then click on Use.
Now configure the Duo LDAP server.
During the remaining sidebar, navigate to Clientless SSL https://vpngoup.com VPNAccess, Connection Profiles.
Beneath Relationship Profiles, pick the connectionprofile you ought to modify.
For this video clip, We'll usethe DefaultWEBVPNGroup.
Click Edit.
From the still left menu, less than Advanced, select Secondary Authentication.
Select Duo-LDAP during the Server Team record.
Uncheck the Use Community ifServer Team fails box.
Check the box for Use Key username.
Click OK, then simply click Apply.
If any of your users log in by means of desktop or mobile AnyConnect consumers, You'll have to enhance the AnyConnectauthentication timeout within the default 12 seconds, so that consumers have plenty of time to useDuo Drive or mobile phone callback.
While in the still left sidebar, navigateto Network (Shopper) Obtain, AnyConnect Consumer Profile.
Choose your AnyConnect shopper profile.
Click on Edit.
In the still left menu, navigateto Tastes (Aspect 2).
Scroll for the bottomof the webpage and alter the Authentication Timeout(seconds) placing to sixty.
Click on Okay, then simply click Implement.
With all the things configured, it is now time to test your setup.
In an online browser, navigate on your Cisco ASA SSL VPN service URL.
Enter your username and password.
After you comprehensive primary authentication, the Duo Prompt seems.
Applying this prompt, users can enroll in Duo or finish two-aspect authentication.
Since this person has alreadybeen enrolled in Duo, you could select Send out Me a Push, Connect with Me, or Enter a Passcode.
Find Deliver Me a Press to send out a Duo thrust notificationto your smartphone.
With your telephone, open the notification, tap the green button toaccept, therefore you're logged in.
Take note that when usingthe AnyConnect customer, people will see a next password field.
This area accepts thename of a Duo issue, which include force or cell phone, or perhaps a Duo passcode.
Moreover, the AnyConnectclient won't update on the greater sixty next timeout right up until a successful authentication is built.
It is suggested that you choose to use a passcode for your personal next aspect tocomplete your first authentication soon after updating the AnyConnect timeout.
You have got effectively setupDuo two-factor authentication for the Cisco ASA SSL VPN.