Configure Cisco ASA AnyConnect VPN Two-Factor Authentication
General information
The article shows how to configure two-factor authentication for Cisco ASA AnyConnect client connections.
Available authentication methods:
SMS
Hardware OTP tokens
OTP applications: Google Authenticator or Yandex. Key
Telegram
Multifactor mobile application (soon)
Prerequisites: Install and configure MultiFactor Radius Adapter to allow two-factor authentication.
Operation Principle
- The user connects to the VPN with AnyConnect login and password;
- Cisco ASA connects to MultiFactor Radius Adapter component via RADIUS protocol;
- The component verifies the user's login and password with Active Directory or Network Policy Server and requests the second authentication factor;
- The user confirms the access request with the selected Multifactor authentication method or with a one-time passcode in AnyConnect client.
Configure Cisco ASA
ADSM Configuration
- Select a connection which requires configuring two-factor authentication;
- Click Edit -> Basic;
- In the
Authentication
section clickManage
; - In the
AAA Server Groups
section, clickAdd
; - Create a new server group:
- name: MFA Radius Servers
- protocol: RADIUS Save and close.
- Next, create a new server within the group:
- IP address: MultiFactor Radius Adapter component address.
- Server Secret Key: Shared Key from component settings
- Timeout: 40 seconds
- Uncheck the
Microsoft CHAPv2 Capable
checkbox. Save and close.
- In the Authentication section, specify the
MFA Radius Servers
group for AAA Server Group.
CLI Configuration
aaa-server MFA protocol radius
aaa-server MFA (inside) host 10.105.130.51
key *****
tunnel-group TEST type remote-access
tunnel-group TEST general-attributes
address-pool test
authentication-server-group (inside) MFA
tunnel-group TEST webvpn-attributes
group-alias TEST enable
ip local pool test 192.168.1.1-192.168.1.10 mask 255.255.255.0
See also: