Configuring Cisco ASA AnyConnect VPN Two-Factor Authentication

General information

This article describes how to configure Cisco ASA AnyConnect to connect to a VPN with two-factor authentication.

Possible authentication methods:

• MultiFactor Mobile Application
• SMS
• Hardware OTP tokens
• OTP applications: Google Authenticator or Yandex.Key
• Telegram

To configure the second factor of authentication, you will need to install and configure the MultiFactor Radius Adapter.

might be useful

The second factor can be configured in dialogue mode with the user.

Video presentation

Scheme of work

1. The user connects to the VPN, enters the username and password into AnyConnect;
2. Cisco ASA is connected to the MultiFactor Radius Adapter component via the RADIUS protocol;
3. The component checks the user's login and password in Active Directory or Network Policy Server and requests a second authentication factor;
4. The user confirms the access request on the phone or enters a one-time code in AnyConnect.

Setting up Multifactor

1. Go to Multifactor management system, then to the Resources section and create a new resource of the "Firewall" type - "Cisco";
2. Fill in the “Name” and “Address” as you wish. The “Before checking the second factor” and “Language” parameters are responsible for the ability to configure the second factor directly in the AnyConnect client when a user connects without a configured second access factor;
3. After creation, two parameters will be available to you: NAS Identifier and Shared Secret, they will be required for subsequent steps;
4. Install and configure MultiFactor Radius Adapter.

Configuring Cisco ASA

ADSM Configuration

1. Select a connection that requires two-factor authentication;
2. Click Edit -> Basic;
3. In the Authentication section, click Manage;
4. In the "AAA Server Groups" section, click Add;
5. Create a new server group:
   • name: MFA Radius Servers
   • protocol: RADIUS
   • save and close
6. Next, create a new server in the group:
   • IP address: address of the MultiFactor Radius Adapter component
   • Server Secret Key: Shared Key from component settings
   • Timeout: 40 seconds
   • uncheck "Microsoft CHAPv2 Capable"
   • save and close.
7. In the Authentication section, specify the "MFA Radius Servers" group for the AAA Server Group.

###CLI Configuration

aaa-server MFA protocol radius
aaa-server MFA (inside) host 10.105.130.51
 key *****

tunnel-group TEST type remote-access
tunnel-group TEST general-attributes
 address-pool test
 authentication-server-group (inside) MFA
tunnel-group TEST webvpn-attributes
 group-alias TEST enable

ip local pool test 192.168.1.1-192.168.1.10 mask 255.255.255.0

See also:

• Setting up two-factor authentication Remote Desktop;
• Self-service registration portal 2fa.