System Flow for Duo LDAP Secondary Authentication

The following graphic shows how threat defense and Duo work together to provide two-factor authentication using LDAP.

Following is an explanation of the system flow:

1. The user makes a remote access VPN connection to the FDM-managed device and provides username and password.

2. FDM-managed device authenticates this primary authentication attempt with the primary authentication server, which might be Active Directory or RADIUS.

3. If the primary authentication works, FDM-managed device sends a request for secondary authentication to the Duo LDAP server.

4. Duo then authenticates the user separately, through push notification, text message with a passcode, or a telephone call. The user must complete this authentication successfully.

5. Duo responds to the FDM-managed device to indicate whether the user authenticated successfully.

6. If the secondary authentication was successful, the FDM-managed device establishes a remote access VPN connection with the user’s AnyConnect client.