Duo Two-Factor Authentication with LDAPS for Cisco ASA SSL VPN with Browser and Secure Client

Direct LDAP connectivity to Duo for Cisco ASA reached the end of support on March 30, 2024 and reached end-of-life status on February 20, 2025. Customers may not create new Cisco ASA SSL VPN applications and users of existing LDAPS configurations may no longer authenticate.

The recommended migration path is to deploy Duo Single Sign-On for Cisco ASA with Secure Client to protect Cisco ASA with Duo Single Sign-On, our cloud-hosted identity provider featuring Duo Central and the Duo Universal Prompt.

Another alternative to direct LDAPS connections is adding Duo authentication to Cisco ASA using RADIUS and the Duo Authentication Proxy, for example, RADIUS with Automatic Push for Cisco ASA. See the "Related" links to the left to explore more RADIUS configurations.

Please visit the article Guide to end of life for the Duo LDAP cloud service (LDAPS) used to provide 2FA for Cisco ASA, Juniper Networks Secure Access, and Pulse Secure Connect Secure SSL VPN for further details, and review the Duo End of Sale, Last Date of Support, and End of Life Policy.

The instructions for this solution were removed on November 21, 2024. Customers who had this configuration deployed before then and need to refer to the original instructions to execute the migration to a supported solution may contact Duo Support.