This document provides an introduction to the self-service options available for Primary Administrators to control their users' authentication to Client-to-Site VPN endpoints and serves as an overview of those options for all users.

IMPORTANT: the feature described in this introductory article is specific to VPN authentication and is completely independent of the CloudControl UI Two Factor Authentication feature described by How to Enable or Disable SMS Two Factor Authentication to the Cloud UI for your Organization.

Content / Solution:

The self-service Multi-Factor VPN Authentication feature provides Primary Administrators with the ability to adjust a setting for their Organization, which controls how users authenticate to the Client-to-Site VPN endpoints. The setting applies to all users in the Organization at a specific Geographic Region. 

There are currently two options available and each Geographic Region will support one or both of these options subject to local availability:

  • Single-Factor VPN Access
  • Multi-Factor VPN Access

The Primary Administrator user can update the VPN Access setting for their Organization at a Geographic Region by selecting from the options available for the region. For details please refer to How to Manage VPN Authentication for an Organization using the VPN Access setting.

Each Geographic Region has a default setting from the above set. The default setting applies to the users of all new Organizations and for each user added to any Organization subsequently. Existing Organizations will have their 

If a Primary Administrator changes the setting for their Organization at a Geographic Region, then that setting applies from that point onward for existing and new users at that specific Geographic Region. For example a Primary Administrator could choose to have Multi-Factor Authentication enabled in the Europe Geographic Region while leaving Single-Factor Authentication in place in the North America Geographic Region. 

Single-Factor VPN Access

Single-Factor VPN Access is the original mode of VPN authentication supported and is the default Geographic Region setting in the majority of locations. Single-Factor VPN Access consists of each user’s CloudControl username and password, and is used in conjunction with the Cisco Anyconnect VPN client to gain access to the relevant Client-to-Site VPN. For more information please refer to How to Establish a Secure VPN Connection to Access your Cloud Network and Servers.

Single-Factor VPN Access is represented in CloudControl API interactions using the value “VPN_SINGLE_FACTOR”. Please refer to the API documentation for more information API 2.

Multi-Factor VPN Access

Multi-Factor VPN Access consists of each user’s CloudControl username and password and an additional authentication factor provided by the Duo ( application. 

When the user wishes to connect to a Multi-Factor enabled VPN they provide their CloudControl username and password as before on the Cisco AnyConnect login form. In addition to this, there is an extra field displayed on the login form into which the users enters the approach (e.g. "phone") that they want Duo to use to request an additional authentication factor. Duo independently contacts the user to request the additional authentication factor, and if the user provides a value that matches Duo's expectation their login to the VPN is completed. 

The impact to the login experience is minimal from the user's perspective as can be seen from the step by step guide, How to Establish a Secure VPN Connection to Access your Cloud Network and Servers.

Duo Enrollment

In order to use Duo users must first enroll with the service, which the VPN endpoint will prompt them to do if they are not already currently enrolled.

As part of enrollment, the User selects their preferred approach for an additional authentication factor from a set of options including a phone call, an SMS or using a code generated by the Duo mobile application. For more information on Duo enrollment please refer to How to Self-Enroll in Duo for Multi-Factor Authentication Access to Cloud VPN

  • Enrollment applies across all Geographic Regions that are enabled for Multi-Factor authentication for an Organization. 
  • Users do not need to enroll with Duo separately for every Geographic Region enabled.
  • A user's enrollment with Duo expires after a 30 day period if unused.

Duo Status

Any User can check their own Duo status from within the CloudControl UI by accessing the Compute -> Account Management screen.

Similarly, a Primary Administrator User can check the Duo status for any of their Sub-Administrator Users by clicking through to the individual user's details screen from the user list on the Account Management screen. See Navigating the Account Management Dashboard as a Primary Administrator

The Duo Status information displayed for a user will vary and can include the following:

  • Enrollment Status will be one of: 
    • Not Enrolled - the user is not enrolled with Duo.
    • Active - the user has a valid enrollment with Duo.
    • Locked Out - A user enters this status after 10 unsuccessful login attempts. After 90 Minutes, the user is reset from Locked Out to Active and they will be able to attempt to authenticate again.
  • Last Login - Date/time indicating when the user last logged in, will only be returned if the user is enrolled and has previously logged in.
  • Enrollment Expiry - Date/time indicating when the user's enrollment will expire if they do not log in again in the meantime, will only be returned if the user has a Last Login date. Enrollment Expiry equates to 30 days after the previous Last Login.

Additional Notes

Multi-Factor VPN Access is represented in CloudControl API interactions using the value “VPN_MULTI_FACTOR”. Please refer to the API documentation for more information API 2.