VPN: Using Duo Append Mode with Cisco AnyConnect

Certain Departmental Pools, Full Tunnel VPN, and Split Tunnel VPN Pools require Two Factor Authentication (2FA) through Duo Security to connect. Since the Cisco AnyConnect application does not support the inline Duo Prompt to choose your authentication method, this is handled with the Duo Append Mode. 

Append Mode by default will send a push notification to a your default device, but allows you to choose from our other supported 2FA methods including a passcode, phone call, and push to other devices.

Using Duo 2FA with Cisco AnyConnect

  1. Launch the Cisco AnyConnect Secure Mobility Client. 
  2. Choose the appropriate VPN Pool from the drop-down menu and click Connect.
    • The available choices should be, "UMN - Departmental Pools", "UofM Full Tunnel", and "UMN - Split Tunnel - General Access VPN Pool".
  3. A separate window should open, prompting for your Username and Password.
    • Username: Internet ID
    • Password: Internet Password
  4. To use the default authentication method (a push to your default device):
    • Enter your information and click OK. A Duo Security push will automatically be sent to your default Duo device.
  5. To use any other method for authentication, please consult the table below.
    • The format is as follows, [Internet ID Password],[Type], i.e. comma separated with no additional spaces.
    • If you have multiple devices registered, you may add a number to the end to dictate which device will be used.
       
      This table outlines the Duo Append Mode choices, shows specific examples, and outlines the intended action.
       Type Example  To...
      passcode password,123456 Login using a passcode generated in Duo Mobile, by a token, or generated Bypass Codes.
      push

      password,push

      password,push2

      Push a login request to your device of choice.
      phone

      password,phone

      pasword,phone3

      Authenticate with a phone callback to your phone of choice.
    • In the table, ˜push2' and 'phone3', would send a push request to the second phone in your list of registered Duo Devices and a phone call to the third.
  6. With successful authentication, the Cisco AnyConnect application should have a message at the top, "Connected to [VPN Pool]" based on which VPN Pool was chosen. 
  7. To disconnect and end the connection, simply click Disconnect.

 

 

TDX ID
3511