Skip to content
  • There are no suggestions because the search field is empty.

Configure SSL VPN Authentication through FTD, ISE, DUO and Active Directory

Step-by-step guide to configuring SSL VPN authentication with Cisco FTD, ISE, DUO, and Active Directory.

Requirements

  • Cisco ISE 3.0 or higher
  • Cisco FMC 7.0 or higher
  • Cisco FTD 7.0 or higher
  • DUO Authentication Proxy
  • ISE Essentials Licensing
  • DUO Essentials Licensing

Components Used

  • ISE 3.2 Patch 3
  • FMC 7.2.5
  • FTD 7.2.5
  • DUO Proxy 6.3.0
  • Cisco AnyConnect 4.10.08029

Network Flow Overview

  1. User initiates VPN login with username/password.
  2. FTD forwards request to Cisco ISE.
  3. ISE sends request to DUO Authentication Proxy.
  4. DUO Proxy validates credentials with DUO Cloud.
  5. DUO Cloud sends push notification to user’s mobile device.
  6. User approves DUO Push.
  7. DUO Proxy confirms authentication back to ISE.
  8. ISE informs FTD of successful authentication.
  9. FTD establishes VPN connection and logs session details.

Configuration Steps

1. FTD Configuration

  • In FMC, navigate to Objects > AAA Server > RADIUS Server Group.
  • Add a new RADIUS Server Group and configure server IP + shared secret.
  • Deploy changes.
  • Configure Remote Access VPN under Devices > VPN > Remote Access.
  • Select SSL VPN, assign AAA method, IP pool, DNS, and AnyConnect package.
  • Enroll a certificate (self-signed or CA).
  • Deploy configuration.

2. ISE Configuration

  • Navigate to Administration > Network Resources > External RADIUS Servers.
  • Add DUO Proxy as an external RADIUS server.
  • Create a RADIUS Server Sequence including DUO Proxy.
  • Add FTD as a Network Access Device (NAD) with IP and shared secret.

3. DUO Configuration

  • Install DUO Proxy (see DUO Proxy Reference Guide).
  • Configure DUO Proxy with integration key, secret key, API hostname, and ISE IP.
  • Integrate DUO Proxy with Active Directory using [ad_client] configuration.
  • Sync Active Directory users with DUO Cloud.
  • Enroll users via DUO Cloud (email enrollment or universal enrollment).

Validation Procedure

  1. Access FTD VPN login page.
  2. Enter Active Directory credentials.
  3. Approve DUO Push notification.
  4. Connect using Cisco AnyConnect client.
  5. Verify logs in ISE (Operations > RADIUS > Livelogs).
  6. Confirm authentication logs in DUO Admin Panel.

Common Issues & Troubleshooting

  • Error 11368: Check external RADIUS server logs for failure reason.
  • Error 11353: Ensure shared secret matches between ISE and DUO Proxy.
  • No RADIUS sessions in ISE logs: Verify DUO Proxy and FMC configurations.
  • Use packet captures in ISE and debug logs in DUO Proxy Manager for deeper troubleshooting.

Revision History

  • Version 2.0 – July 25, 2024 – Initial Release