The article shows how to configure two-factor authentication for Cisco ASA AnyConnect client connections.
Available authentication methods:
Hardware OTP tokens
OTP applications: Google Authenticator or Yandex. Key
Multifactor mobile application (soon)
Prerequisites: Install and configure MultiFactor Radius Adapter to allow two-factor authentication.
- The user connects to the VPN with AnyConnect login and password;
- Cisco ASA connects to MultiFactor Radius Adapter component via RADIUS protocol;
- The component verifies the user's login and password with Active Directory or Network Policy Server and requests the second authentication factor;
- The user confirms the access request with the selected Multifactor authentication method or with a one-time passcode in AnyConnect client.
Configure Cisco ASA
- Select a connection which requires configuring two-factor authentication;
- Click Edit -> Basic;
- In the
- In the
AAA Server Groupssection, click
- Create a new server group:
- name: MFA Radius Servers
- protocol: RADIUS Save and close.
- Next, create a new server within the group:
- IP address: MultiFactor Radius Adapter component address.
- Server Secret Key: Shared Key from component settings
- Timeout: 40 seconds
- Uncheck the
Microsoft CHAPv2 Capablecheckbox. Save and close.
- In the Authentication section, specify the
MFA Radius Serversgroup for AAA Server Group.
aaa-server MFA protocol radius aaa-server MFA (inside) host 10.105.130.51 key ***** tunnel-group TEST type remote-access tunnel-group TEST general-attributes address-pool test authentication-server-group (inside) MFA tunnel-group TEST webvpn-attributes group-alias TEST enable ip local pool test 192.168.1.1-192.168.1.10 mask 255.255.255.0