The Cisco AnyConnect VPN client requires Multi-Factor Authentication. The steps provided in this guide will walk you through the supported Duo MFA authentication methods for use with the Cisco AnyConnect VPN client.
- If you do not already have the Cisco AnyConnect software installed on your computer, please see this guide.
- If you need to enroll a device in Duo Multi-Factor Authentication, please see this guide.
Login Walkthrough
Cisco AnyConnect Login
- Open the Cisco AnyConnect VPN Client. Under “Ready to Connect”, enter “https://sslvpn.uvm.edu/duo“, then click “Connect”
- Log in with your NetID credentials.
- When prompted, select your preferred Duo enrolled Device, then choose your desired Multi-Factor Authentication method (Send me a Push, Call Me, or Enter a Passcode).
If you do not already have a device enrolled in Duo, you will be prompted to add one.
A descriptive list of supported MFA Methods is provided below.
MFA Methods
Duo Mobile App
Push
- Select the Send Me a Push option.
- Open the Duo Mobile app on your device and approve the request.
- Upon successful authentication, you will receive the “Welcome to SSLVPN” banner. Click “Accept” to close the banner.
Generated Passcode
- Select the Enter a Passcode option.
- Open the Duo mobile app on your device. Tap the University of Vermont entry. This will generate a six-digit passcode.
- Enter the generated passcode into the text field, then click the “Log In” button.
- Upon successful authentication, you will receive the “Welcome to SSLVPN” banner. Click “Accept” to close the banner.
Telephony
SMS Text Message
- Select the Enter a Passcode option.
- If you need a new list of passcodes, click the “Text me new codes” button. If you already have codes, continue to step 3.
- Enter a passcode into the text field, then click the “Log In” button.
- Upon successful authentication, you will receive the “Welcome to SSLVPN” banner. Click “Accept” to close the banner.
Phone Call
- Select the Call Me option.
- You will receive a call on the specified device, answer the call and press any key to approve the authentication.
- Upon successful authentication, you will receive the “Welcome to SSLVPN” banner. Click “Accept” to close the banner.
Other
Offline Codes
You must have a physical device (smart phone, landline, tablet, YubiKey) enrolled in Duo in order to use Offline Codes.
- Select the Enter a Passcode option.
- Enter your next, unused offline code in the text field, then click “Log In”
- Upon successful authentication, you will receive the “Welcome to SSLVPN” banner. Click “Accept” to close the banner.
YubiKey
- Select the Enter a Passcode option.
- Insert your YubiKey hardware token into a USB port on your device.
- Click into the text field, then press the brass contact on your YubiKey.
- Upon successful authentication, you will receive the “Welcome to SSLVPN” banner. Click “Accept” to close the banner.
Troubleshooting
Error: Single Sign-on Cookie
The above error is most often seen when using an outdated Cisco AnyConnect Clinet. The current version of Cisco AnyConnect is version 4.7 (July 15, 2019).
To upgrade to the newest version of Cisco AnyConnect please see this guide.
Enroll a device in Duo
Cisco AnyConnect requires a physical device to be enrolled in Duo. Offline-codes cannot be used as the primary means of MFA via the VPN
- If you receive the following message after authenticating with your UVM NetID, you will need to enroll a device in Duo.
- After enrolling a device in Duo, login to the Cisco AnyConnect client using the steps above.
