Duo / Authenticate with VPN

Objective

• To provide instruction on how to authenticate to VPN with Duo
• To provide instruction on authenticating with a second passcode to VPN

Scope

• Duo Security is Miami University's system-wide two-factor authentication security application

User

• All current Miami University Students, Faculty, and Staff

Environment

• 312306: Duo Security Two-factor Authentication
• 10393: VPN AnyConnect Client
  • Cisco AnyConnect VPN

Rationale

• Two-factor authentication adds a second layer of security to your Miami account. It allows you to verify your identity using a second factor (second passcode) — your smartphone or other mobile device, or YubiKey U2F device — and prevents anyone else from logging in to your account

Resolution 

• Important Notes:
  • The first time you use the VPN with Duo, you must enter your Duo code within 12 seconds due to an unchangeable setting in the VPN. If there is latency in generating the code, you may miss this window. For this reason, we recommend that you generate an SMS passcode or a passcode via the Duo app prior to attempting to connect to the VPN, and then use the If you prefer to use a passcode, enter... method below for your first connection. After your first successful connection, the default setting will be changed to 60 seconds and any of the options listed below should work for you.
  • If your MUnet password contains a comma, you will need to change your password to something that does not contain a comma in order to successfully authenticate in to VPN. VPN authentication with Duo uses a comma after a person's password to denote either a Duo passcode or the method of Duo authentication to be used
    • If you don't have Duo Mobile installed on a device, a comma is required followed by your preferred Duo method. Using a comma after the password will allow the following options: push2, passphrase, sms, and sms2. Example: 'password,[Duo option]'
  • If you intend to use a Yubikey when authenticating with Duo to VPN, you must have the YubiKey configured by a Duo Administrator in the Duo Admin console. Contact ITHelp by phone 513-529-7900 or live chat with ITHelp and request to have your YubiKey token configured for use with VPN. Provide these three pieces of information about your YubiKey — the serial number, private identity, and secret key — which you will find in the YubiKey personalization tool

Associated Procedure

1. Launch the Cisco AnyConnect client and select the desired VPN
2. Click connect and provide your UniqueID
   • Entering the password will generate a Duo push to your installed Duo mobile app on your first enrolled device — this is the default behavior for Duo and VPN
3. If you don't have Duo Mobile installed on a device or you prefer a different authentication method, a comma is required followed by your preferred Duo method:
   • If you prefer to use a hardware token (like a Yubikey), enter your password followed by a comma (','), touch your hardware token and then click OK
   • If you prefer to use a passcode, enter your password followed by a comma (','), enter a passcode, and click OK
   • If you prefer to use a passcode, but need a passcode, enter your password followed by a comma (',') followed by the word sms (or sms2 if you want the passcode to be sent to your secondary phone device) and then click OK. The current login will fail, but you will be sent passcodes to your device that can be used on the next login attempt
   • If you prefer to have a push sent to your secondary device, enter your password followed by a comma (',') followed by the word push2 and then click OK