Revolutionizing Cisco VPN Access with Duo SSO
Secure Cisco VPN logins in less than an hour
Authenticate users in seconds
Verify user + device posture
Block unmanaged devices
Mitigate modern security threats with phishing-resistant authentication
Join the thousands of Cisco firewall customers who take advantage of protecting Cisco VPN logins with Cisco Duo Single Sign-On via SAML 2.0 to help prevent unwanted access and streamline the user experience. Cisco Duo is a leading access management platform that protects access to all applications, for any user and device, from anywhere. It is designed to be easy to use, administer, and deploy while providing complete endpoint visibility and control.
10 reasons to move to Duo SSO with Cisco VPN
The following functionality is only available using the Duo Universal Prompt and protecting Cisco Firewalls with SAML 2.0. Duo will continue to invest in our focused security principles through the Duo Universal Prompt, so be sure to keep an eye out for new policy improvements.
Passwordless — Duo Passwordless uses passkeys and platform authenticators, security keys from access devices, or Duo Push to secure application access without passwords, reducing the risk surface and administrative burden associated with passwords while improving the user experience
Verified Duo Push — Asks users to verify push requests to mitigate the risk of push harassment attacks
Trusted Endpoints — Block untrusted/unwanted devices from accessing your corporate VPN
Risk-Based Authentication —This reduces user friction and improves security by analyzing risk signals and automatically stepping-up authentication only when necessary
Built-In Security — Universal Prompt utilizes OpenID Connect and moves away from using iFrames, which eliminates the need for additional security configurations (allowed hostnames) that is recommended with the Traditional Prompt
Self-Service Portal — Admins can securely enable the new Duo hosted Self-service portal by enforcing policies and requiring strong authentication, empowering users to self-enroll and manage their authentication devices
Improved User Experience — Universal Prompt is a major redesign with new styling and workflow-based authentication experience, such as last-used authentication method and more
Localization — Includes support for 15 languages, with more to come
Customization and Branding — Allows admins to give users a familiar and trusted experience
Accessibility — Makes strong authentication inclusive and easy for every user. Universal Prompt is designed and tested to meet Web Content Accessibility Guidelines (WCAG) 2.1 at the AA level
Cisco VPN User Login Experience: SAML 2.0 vs. RADIUS
Cisco Adaptive Security Appliance (ASA) and Cisco Firepower are two of the most common VPN solutions on the market today. Given such, Cisco Duo hosts a wide range of customers leveraging the Duo Trusted Access platform to protect their Cisco Secure Client logins. Today, many of these customers utilize an aging legacy integration that leverages the RADIUS protocol. This integration provides an end-user experience that is an automatic Duo Push or Duo Phone Callback (if enabled by a Duo Administrator) but leaves a lot to be desired (and lacks the ability to deploy modern access & security policies to all logins).
Cisco VPN Radius Experience:
Instead of the legacy experience, you have the power to simplify trusted access across your organizations by moving from a legacy integration method like radius to Duo SSO. Duo SSO enables organizations to deploy simple, but granular zero trust security policy per app or group including passwordless, phishing resistant authentication (verified push and/or passkeys), device trust (trusted endpoints), risk-based authentication (RBA), contextualized access policies, user-self remediation and much more.
Below is an example of the Cisco Duo SSO experience for Cisco VPNs:
The experience and capabilities enabled by a modern Duo SSO protected login are highlighted in the section below.
How to protect & modernize Cisco VPN logins with Duo
Review prerequisites for Cisco ASA or Firepower.
Configure Duo Single Sign-On
Connect Cisco ASA or Cisco Firepower via SAML 2.0 to Duo SSO
Create Duo Policy requirements for Cisco ASA or Cisco Firepower by application or group
Validate the sign-in experience and test with a pilot group
Ramp up security without sacrificing productivity
Duo SSO quickly connects to your identity provider of choice and integrates with any SAML or OIDC application with dedicated integrations for Microsoft 365, Citrix NetScaler, Palo Alto Networks, SonicWall, SalesForce, Cisco Webex, and many others.
With Cisco Duo Single Sign-On, you can easily grant frictionless access to applications while simultaneously enforcing strong zero trust measures across applications, people, and devices. As hybrid and mobile workforces continue to grow, establishing a seamless way to manage multiplying endpoints will streamline security operations and minimize your attack surface.
Start closing your cybersecurity readiness gap. Contact Cisco Duo today.