Documentation
Duo Two-Factor Authentication with LDAPS for Cisco ASA SSL VPN with Browser and Secure Client
Last Updated: February 24th, 2025Contents
Direct LDAP connectivity to Duo for Cisco ASA reached the end of support on March 30, 2024 and reached end-of-life status on February 20, 2025. Customers may not create new Cisco ASA SSL VPN applications and users of existing LDAPS configurations may no longer authenticate.
The recommended migration path is to deploy Duo Single Sign-On for Cisco ASA with Secure Client to protect Cisco ASA with Duo Single Sign-On, our cloud-hosted identity provider featuring Duo Central and the Duo Universal Prompt.
Another alternative to direct LDAPS connections is adding Duo authentication to Cisco ASA using RADIUS and the Duo Authentication Proxy, for example, RADIUS with Automatic Push for Cisco ASA. See the "Related" links to the left to explore more RADIUS configurations.
Please visit the article Guide to end of life for the Duo LDAP cloud service (LDAPS) used to provide 2FA for Cisco ASA, Juniper Networks Secure Access, and Pulse Secure Connect Secure SSL VPN for further details, and review the Duo End of Sale, Last Date of Support, and End of Life Policy.
The instructions for this solution were removed on November 21, 2024. Customers who had this configuration deployed before then and need to refer to the original instructions to execute the migration to a supported solution may contact Duo Support.
Troubleshooting
Need some help? Take a look at the Cisco Frequently Asked Questions (FAQ) page or try searching our Cisco Knowledge Base articles or Community discussions. For further assistance, contact Support.
Network Diagram

- Cisco SSL VPN connection initiated
- Primary authentication to on-premises directory
- Cisco ASA connection established to Duo Security over TCP port 636
- User completes Duo two-factor authentication via the interactive web prompt served from Duo's service or text input to the ASA and their selected authentication factor.
- Cisco ASA receives authentication response
- Cisco SSL VPN connection established