VPN - Using Two-Factor Authentication with Cisco Secure Client

Body

Table of Contents

Overview

VPN (Cisco Secure Client(formerly AnyConnect) and L2TP) enforces Duo NetID Two-Factor Authentication. Duo functions with VPN like it does with Infoblox (different from most other TAMU CAS sites): You will not be presented with options to choose Push, Call me, or Send me a passcode.

For troubleshooting Duo Two-Factor Authentication with Infoblox, visit KB0012880.

For information on how to set up Duo, visit KB0011794.

Different Methods of Duo Authentication

Push

The recommended method of logging into VPN with Duo is via the Push method. Push is the default method of secondary authentication in VPN. After entering your NetID and password and clicking Connect/Okay, a Push request will be sent to your default device with no further prompting. You can acknowledge this Push request as normal.

If you are not receiving a push notification by default, you can specify to send a push notification.

  1. Enter your NetID normally
  2. Enter your password
  3. Enter a comma immediately after your password
    1. Make sure there is not a space before or after the comma
  4. Type phone after the comma. This can be entered in upper, lower, or a mix of upper and lower case letters.
  5. You do not need to press Login. After you have confirmed your login attempt by push, the authentication process will automatically attempt to log you into the system


NOTE:Push is the only method available for providing Two-Factor authentication with L2TP.

YubiKey

To use a YubiKey USB token for two-factor authentication with VPN, you must enter your YubiKey one-time passcode as part of your password. To do this:

  1. Enter your NetID normally
  2. Enter your password
  3. Enter a comma immediately after your password
    1. Make sure there is not a space before or after the comma
  4. Press the contact pad on your YubiKey. You should see your password expand in the password field as the one-time passcode is entered
  5. You do not need to press Login. After your one-time passcode has been entered, the authentication process will automatically attempt to log you into the system.

Authentication Code

To use an authentication code for two factor authentication with VPN, you must enter the one-time authentication code generated by the Duo mobile app as part of your password. To do this:

  1. Enter your NetID normally
  2. Enter your password
  3. Enter a comma immediately after your password
    1. Make sure there is not a space before or after the comma
  4. Enter the authentication code generated by the Duo Mobile App. This code is generated by pressing the key icon next to the Texas A&M University entry.
  5. Press Login.

Phone

To use two-factor authentication via a phone call to your default phone number:

  1. Enter your NetID normally
  2. Enter your password
  3. Enter a comma immediately after your password
    1. Make sure there is not a space before or after the comma
  4. Type phone after the comma. This can be entered in upper, lower, or a mix of upper and lower case letters.
  5. You do not need to press Login. After you have confirmed your login attempt by phone, the authentication process will automatically attempt to log you into the system.

If you would like to make two-factor authentication by phone your default secondary authentication method, you can do so by removing and re-adding your phone to your account in Duo. This is also necessary if you switch to a new phone.

L2TP Authentication

Due to limitations with L2TP, using the Duo App Push feature is the only option that will work. You will not be able to use a YubiKey or either the Authentication Code or Phone authentication methods.

Locked Out of the VPN

If you fail to successfully log into the VPN too many times, you will become locked out. This commonly happens because a campus member is not seeing the Duo push notification being sent to their phone. This lock is only a soft lock, which means it will automatically lift after 20 minutes. Wait for the lock to lift, then try connecting again. Make sure to use your NetID and password, and have the Duo app opened up on your phone so you can accept the push notification.

Connection Error with Cisco Secure Client

If you are receiving a connection error when trying to log into Cisco Secure Client, there are a couple troubleshooting tips you can try.

Directions

  • If you know your password is correct, try performing a password flush. This means changing your password to the same thing it already is (KB0014230)
  • If you have forgotten your credentials
    • Reset you NetID password at password.tamu.edu. If you are not sure of your NetID, call Help Desk Central at 979.845.8300
  • You may also try uninstalling and reinstalling Cisco Secure Client.
  • If you are still having trouble, call Help Desk Central or make an appointment to visit them in person in the Computing Services Complex, CS00.

Login Failed Error

Below are some basic troubleshooting steps that will help you if you are receiving the error message "Login Failed" when trying to connect to the VPN.

  1. Make sure you are using your NetID, NOT your UIN.
    1. Your UIN may work on Howdy and other TAMU websites -- but when using the VPN, you must sign in using your NetID or it will not authenticate.
  2. Make sure you are authenticating with Duo correctly.
    1. The VPN uses push notifications by default and does not give you an indication the push notification has been sent. Have your Duo app opened whenever you login so you do not miss the authentication request.
    2. If you do not have the Duo app or wish to authenticate another way, see the section above titled "Duo and VPN".
  3. If you are getting the "Login Failed" message IMMEDIATELY after trying to sign in, you should try a password flush. This means changing your password to the same thing it already is and helps push the password across TAMU servers.
  4. If you are still having troubles, call Help Desk Central at 979.845.8300 or make an appointment to visit them in person in the Computing Services Complex, CS00.

Change What Device Duo Calls

If you are trying to use the Texas A&M VPN and want to authenticate using your secondary device, please follow the directions below.

The VPN automatically sends a push notification to your primary device unless it is told otherwise.

  1. Enter your NetID normally
  2. Enter your password
  3. Enter a comma immediately after your password
    1. Make sure there is not a space before or after the comma. For example: password,phone2
  4. The Duo notification should now go to your secondary device.

Troubleshooting 2-Factor Authentication

Access to VPN with two-factor authentication may fail. Due to the implementation of Duo Two-Factor authentication and VPN's security settings, there are several points where authentication failure may occur.

Duo authentication request does not initiate and returns an invalid login message.

This is an indication the Duo authentication process itself is failing. An authentication failure will return a failed login message immediately. A delay of 60 seconds indicates there is a problem with Duo.

An invalid login message is returned immediately. A connection to Duo is not apparent.

This is an indication that Duo has temporarily locked your account. Temporary locks are 15 minutes in length and are triggered after seven failed login attempts using Duo.

The Cisco Secure Client client or manual L2TP VPN configuration fail to successfully connect.

It is possible that a problem has occurred with either the VPN software client or manual configuration. Information about TAMU's VPN, setup options, and various troubleshooting steps may be found here.

Additional Duo troubleshooting articles for iOS and Android applications.

 

Details

Details

Article ID: 394
Created
Thu 5/2/24 10:57 AM
Modified
Wed 7/10/24 3:16 PM

Related Services / Offerings

Related Services / Offerings (1)

VPN Support
The "VPN Support" Service Offering is for incidents to troubleshoot Virtual Private Network (VPN) connections.