1. Home
  2. Servers and Data
  3. Cisco AnyConnect VPN using MFA
  1. Home
  2. Software and Licensing
  3. Cisco AnyConnect VPN using MFA

Cisco AnyConnect VPN using MFA

The Cisco AnyConnect VPN client requires Multi-Factor Authentication. The steps provided in this guide will walk you through the supported Duo MFA authentication methods for use with the Cisco AnyConnect VPN client.

Login Walkthrough

Cisco AnyConnect Login

  1. Open the Cisco AnyConnect VPN Client. Under “Ready to Connect”, enter “https://sslvpn.uvm.edu/duo“, then click “Connect”
  2. Log in with your NetID credentials.
  3. When prompted, select your preferred Duo enrolled Device, then choose your desired Multi-Factor Authentication method (Send me a Push, Call Me, or Enter a Passcode).

If you do not already have a device enrolled in Duo, you will be prompted to add one.


A descriptive list of supported MFA Methods is provided below.

MFA Methods

Duo Mobile App

Push

  1. Select the Send Me a Push option.
  2. Open the Duo Mobile app on your device and approve the request.
  3. Upon successful authentication, you will receive the “Welcome to SSLVPN” banner. Click “Accept” to close the banner.

Generated Passcode

  1. Select the Enter a Passcode option.
  2. Open the Duo mobile app on your device. Tap the University of Vermont entry. This will generate a six-digit passcode.
  3. Enter the generated passcode into the text field, then click the “Log In” button.
  4. Upon successful authentication, you will receive the “Welcome to SSLVPN” banner. Click “Accept” to close the banner.

Telephony

SMS Text Message

  1. Select the Enter a Passcode option.
  2. If you need a new list of passcodes, click the “Text me new codes” button. If you already have codes, continue to step 3.
  3. Enter a passcode into the text field, then click the “Log In” button.
  4. Upon successful authentication, you will receive the “Welcome to SSLVPN” banner. Click “Accept” to close the banner.

Phone Call

  1. Select the Call Me option.
  2. You will receive a call on the specified device, answer the call and press any key to approve the authentication.
  3. Upon successful authentication, you will receive the “Welcome to SSLVPN” banner. Click “Accept” to close the banner.

Other

Offline Codes

You must have a physical device (smart phone, landline, tablet, YubiKey) enrolled in Duo in order to use Offline Codes.

  1. Select the Enter a Passcode option.
  2. Enter your next, unused offline code in the text field, then click “Log In”
  3. Upon successful authentication, you will receive the “Welcome to SSLVPN” banner. Click “Accept” to close the banner.

YubiKey

  1. Select the Enter a Passcode option.
  2. Insert your YubiKey hardware token into a USB port on your device.
  3. Click into the text field, then press the brass contact on your YubiKey.
  4. Upon successful authentication, you will receive the “Welcome to SSLVPN” banner. Click “Accept” to close the banner.

Troubleshooting

The above error is most often seen when using an outdated Cisco AnyConnect Clinet. The current version of Cisco AnyConnect is version 4.7 (July 15, 2019).

To upgrade to the newest version of Cisco AnyConnect please see this guide.

Enroll a device in Duo

Cisco AnyConnect requires a physical device to be enrolled in Duo. Offline-codes cannot be used as the primary means of MFA via the VPN

  1. If you receive the following message after authenticating with your UVM NetID, you will need to enroll a device in Duo.
  2. After enrolling a device in Duo, login to the Cisco AnyConnect client using the steps above.

 

Updated on August 21, 2019

Was this article helpful?

Related Articles

Not the solution you were looking for?
Don’t worry we’re here to help!
Submit a Help Ticket