topic Re: HTTPS Flow Authentication through an ASA using Google Authenticato in Network Access Control

HTTPS Flow Authentication through an ASA using Google Authenticator

jamesholley — Tue, 07 Jan 2025 15:42:58 GMT

Hello all

We are looking to set up on Cisco ASA the following flow.

We are using ssl vpn, and wanted to enforce new connections in from the outside using AAA, and sending the authentication request from the ASA to a back end server running RADUIS and using Google authenticator to provide 2FA for new connections.

Just looking for some guidance as to whether this is possible and whether anyone else has set up something similar.

Thanks in advance

James

Re: HTTPS Flow Authentication through an ASA using Google Authenticato

ccieexpert — Tue, 07 Jan 2025 16:27:04 GMT

Yes it is possible. The big question is what is your identity source ? where do you have the users defined ? If you have MS365/ENTRA, then it comes with free MS authenticator, then i would go that path.. or another identity source, it may be best to use that, unless you want to create each user on the radius server and enable 2FA.. i have done it with freeradius and google authenticator.

Here is a example :

https://networkjutsu.com/freeradius-google-authenticator/

he has a article for newer version 3.x of freeradius...

i would not recommend it unless you have no other identity source such as Entra/Azure or google workspace or any other identity source that has MFA capabilities.

**If that was useful , Please rate as helpful**

Re: HTTPS Flow Authentication through an ASA using Google Authenticato

ahollifield — Tue, 07 Jan 2025 21:03:59 GMT

Yes but why not use SAML? Why use RADIUS at all here?

Re: HTTPS Flow Authentication through an ASA using Google Authenticato

ccieexpert — Tue, 07 Jan 2025 21:22:10 GMT

Yes SAML if they have a IDP, otherwise you have to use radius with google authenticator.

Re: HTTPS Flow Authentication through an ASA using Google Authenticato

MHM Cisco World — Wed, 08 Jan 2025 16:33:09 GMT

https://www.petenetlive.com/KB/Article/0001256?amp=1

Check this

MHM

Re: HTTPS Flow Authentication through an ASA using Google Authenticato

MadAxeman1 — Wed, 08 Jan 2025 20:42:24 GMT

Hi community,

I can confirm that this worked, we don't have any other option to use any IDP so RADIUS & GAuth is all we can use as far as I can see..

Thanks PeteNet but we are not using AnyConnect

Re: HTTPS Flow Authentication through an ASA using Google Authenticato

ccieexpert — Wed, 08 Jan 2025 22:10:17 GMT

ok you didnt answer my questions.. where are the users today ? are they on on prem AD or somewhere else ? radius and google auth by itself will require you to create users locally which is ok, but i assume you already have another identity source right ?