https://community.cisco.com/t5/secure-access-discussions/cisco-asa5525-2fa-solution/m-p/5344274#M93 <P>Hi Team,</P> <P>I'd like to check which two-factor authentication (2FA) options are currently supported by our Cisco firewalls ASA5525 and Cisco Security Manager (CSM)?</P> <P>&nbsp;</P> <P>Thank you</P> Tue, 04 Nov 2025 06:50:24 GMT MJ666 2025-11-04T06:50:24Z https://community.cisco.com/t5/secure-access-discussions/cisco-asa5525-2fa-solution/m-p/5344274#M93 <P>Hi Team,</P> <P>I'd like to check which two-factor authentication (2FA) options are currently supported by our Cisco firewalls ASA5525 and Cisco Security Manager (CSM)?</P> <P>&nbsp;</P> <P>Thank you</P> Tue, 04 Nov 2025 06:50:24 GMT https://community.cisco.com/t5/secure-access-discussions/cisco-asa5525-2fa-solution/m-p/5344274#M93 MJ666 2025-11-04T06:50:24Z https://community.cisco.com/t5/secure-access-discussions/cisco-asa5525-2fa-solution/m-p/5344286#M94 <LI-CODE lang="markup">I'd like to check which two-factor authentication (2FA) options are currently supported by our Cisco firewalls ASA5525 and Cisco Security Manager (CSM)?</LI-CODE> <P>Can you please confirm 2FA for device admin for ASA or remote VPN ? Device admin yes you can do depends what code running. (check the admin guide)&nbsp; again depends on what Radius/TACACS you using.</P> <P><SPAN>Cisco Security Manager (CSM) - you can configure the same for Web GUI access.</SPAN></P> <P>&nbsp;</P> Tue, 04 Nov 2025 07:49:02 GMT https://community.cisco.com/t5/secure-access-discussions/cisco-asa5525-2fa-solution/m-p/5344286#M94 balaji.bandi 2025-11-04T07:49:02Z https://community.cisco.com/t5/secure-access-discussions/cisco-asa5525-2fa-solution/m-p/5344307#M96 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/286878">@balaji.bandi</a>&nbsp;,&nbsp;</P> <P>We are looking for various Admin and remote VPN solutions.<BR />The ultimate goal is to choose the best solution in both cases.</P> <P>I'm not sure I understand your comment “Cisco Security Manager (CSM) - you can configure the same for Web GUI access.”<BR />Could you elaborate, please?</P> <P>Best</P> Tue, 04 Nov 2025 09:43:44 GMT https://community.cisco.com/t5/secure-access-discussions/cisco-asa5525-2fa-solution/m-p/5344307#M96 MJ666 2025-11-04T09:43:44Z https://community.cisco.com/t5/secure-access-discussions/cisco-asa5525-2fa-solution/m-p/5344310#M97 <P>We usually rely on 2FA configuration on the external authentication server. For instance if you use ISE as the authentication server, then ISE can relay the 2FA request to the 2FA server instead of the ASA itself. However, you could also configure the ASA to send the 2FA request to the 2FA server directly, I'm not sure about CSM, I think it doesn't support that feature unless you configure an external authentication server.</P> Tue, 04 Nov 2025 09:47:27 GMT https://community.cisco.com/t5/secure-access-discussions/cisco-asa5525-2fa-solution/m-p/5344310#M97 Aref Alsouqi 2025-11-04T09:47:27Z https://community.cisco.com/t5/secure-access-discussions/cisco-asa5525-2fa-solution/m-p/5344313#M98 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/286878">@balaji.bandi</a>&nbsp; I'm using RADIUS authentication</P> Tue, 04 Nov 2025 10:02:37 GMT https://community.cisco.com/t5/secure-access-discussions/cisco-asa5525-2fa-solution/m-p/5344313#M98 MJ666 2025-11-04T10:02:37Z https://community.cisco.com/t5/secure-access-discussions/cisco-asa5525-2fa-solution/m-p/5344336#M101 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/286878">@balaji.bandi</a>&nbsp;&nbsp;</P> <P data-start="375" data-end="430">Thank you for your feedback.<BR data-start="403" data-end="406" />To clarify my request:</P> <UL data-start="436" data-end="767"> <LI data-start="436" data-end="573"> <P data-start="438" data-end="573">I’m referring to <STRONG data-start="455" data-end="516">two-factor authentication (2FA) for administrative access</STRONG> (SSH, ASDM, or CSM Web GUI), not for remote VPN users.</P> </LI> <LI data-start="576" data-end="767"> <P data-start="578" data-end="653">We would like to know <STRONG data-start="600" data-end="649">which 2FA mechanisms are officially supported</STRONG> on:</P> <OL data-start="658" data-end="767"> <LI data-start="658" data-end="708"> <P data-start="661" data-end="708"><STRONG data-start="661" data-end="706">Cisco ASA 5525 (running ASA version 9.16)</STRONG></P> </LI> <LI data-start="713" data-end="764"> <P data-start="716" data-end="764"><STRONG data-start="716" data-end="764">Cisco Security Manager (CSM version 11.5(4))</STRONG></P> </LI> </OL> </LI> </UL> <P data-start="770" data-end="783">Specifically:</P> <UL data-start="786" data-end="1201"> <LI data-start="786" data-end="1014"> <P data-start="788" data-end="1014">Does ASA natively support direct integration with 2FA providers (e.g., Duo, RSA SecureID, Microsoft Azure MFA, etc.), or must it always rely on an external RADIUS server such as Cisco Prime Infrastructure or ISE or Duo Authentication Proxy?</P> </LI> <LI data-start="1017" data-end="1198"> <P data-start="1019" data-end="1198">For CSM, can 2FA be directly configured for the Web GUI login, or is it only possible through integration with an external authentication server (e.g., LDAP or RADIUS with 2FA)?</P> </LI> </UL> <P data-start="1204" data-end="1323">A clear confirmation or documentation link for the <STRONG data-start="1255" data-end="1280">supported 2FA options</STRONG> for both ASA and CSM would be appreciated.</P> Tue, 04 Nov 2025 10:22:02 GMT https://community.cisco.com/t5/secure-access-discussions/cisco-asa5525-2fa-solution/m-p/5344336#M101 MJ666 2025-11-04T10:22:02Z https://community.cisco.com/t5/secure-access-discussions/cisco-asa5525-2fa-solution/m-p/5344341#M102 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/284594">@Aref Alsouqi</a>&nbsp;&nbsp;</P> <P data-start="375" data-end="430">Thank you for your feedback.<BR data-start="403" data-end="406" />To clarify my request:</P> <UL data-start="436" data-end="767"> <LI data-start="436" data-end="573"> <P data-start="438" data-end="573">I’m referring to <STRONG data-start="455" data-end="516">two-factor authentication (2FA) for administrative access</STRONG> (SSH, ASDM, or CSM Web GUI), not for remote VPN users.</P> </LI> <LI data-start="576" data-end="767"> <P data-start="578" data-end="653">We would like to know <STRONG data-start="600" data-end="649">which 2FA mechanisms are officially supported</STRONG> on:</P> <OL data-start="658" data-end="767"> <LI data-start="658" data-end="708"> <P data-start="661" data-end="708"><STRONG data-start="661" data-end="706">Cisco ASA 5525 (running ASA version 9.16 manage per CLI or CSM Weg GUI)</STRONG></P> </LI> <LI data-start="713" data-end="764"> <P data-start="716" data-end="764"><STRONG data-start="716" data-end="764">Cisco Security Manager (CSM version 4.29)</STRONG></P> </LI> </OL> </LI> </UL> <P data-start="770" data-end="783">Specifically:</P> <UL data-start="786" data-end="1201"> <LI data-start="786" data-end="1014"> <P data-start="788" data-end="1014">Does ASA natively support direct integration with 2FA providers (e.g., Duo, RSA SecureID, Microsoft Azure MFA, etc.), or must it always rely on an external RADIUS/TACACS+ server such as Cisco Prime Infrasrtucture** or Cisco ISE or Duo Authentication Proxy?</P> </LI> <LI data-start="1017" data-end="1198"> <P data-start="1019" data-end="1198">For CSM, can 2FA be directly configured for the Web GUI login, or is it only possible through integration with an external authentication server (e.g., LDAP or RADIUS with 2FA)?</P> </LI> </UL> <P data-start="1204" data-end="1323">A clear confirmation or documentation link for the <STRONG data-start="1255" data-end="1280">supported 2FA options</STRONG> for both ASA and CSM would be appreciated.</P> Tue, 04 Nov 2025 10:26:01 GMT https://community.cisco.com/t5/secure-access-discussions/cisco-asa5525-2fa-solution/m-p/5344341#M102 MJ666 2025-11-04T10:26:01Z https://community.cisco.com/t5/secure-access-discussions/cisco-asa5525-2fa-solution/m-p/5344351#M103 <P>On the ASA you can, however whether you configure the ASA to send the request directly to Duo or you pass through an external RADIUS server it won't change the fact that you will have to configure an external aaa server on the device. With regard to CSM, based on my knowledge it supports both RADIUS and TACACS.</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/security_manager/428/user/csm-user-guide-428/chapter48-configuring-device-administration-policies-on-firewall-devices.html" target="_blank">User Guide for Cisco Security Manager 4.28 - Configuring Device Administration Policies on Firewall Devices [Cisco Security Manager] - Cisco</A></P> <P><A href="https://help.duo.com/s/article/3160?language=en_US" target="_blank">How do I protect SSH logins to my Cisco ASA?</A></P> Tue, 04 Nov 2025 11:07:45 GMT https://community.cisco.com/t5/secure-access-discussions/cisco-asa5525-2fa-solution/m-p/5344351#M103 Aref Alsouqi 2025-11-04T11:07:45Z https://community.cisco.com/t5/secure-access-discussions/cisco-asa5525-2fa-solution/m-p/5344363#M104 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/284594">@Aref Alsouqi</a></P> <P>Thank you for the clarification.</P> <P data-start="1921" data-end="1953">So, to confirm my understanding:</P> <UL data-start="1959" data-end="2409"> <LI data-start="1959" data-end="2199"> <P data-start="1961" data-end="2199">On <STRONG data-start="1964" data-end="1987">ASA 5525 (ASA 9.16)</STRONG>:<BR data-start="1988" data-end="1991" />2FA is supported <STRONG data-start="2012" data-end="2063">through integration with an external AAA server</STRONG> (RADIUS or TACACS+) such as Cisco Prime Infrastructure 3.10.6. The ASA itself does not natively handle the second factor.</P> </LI> <LI data-start="2205" data-end="2406"> <P data-start="2207" data-end="2406">On <STRONG data-start="2210" data-end="2225">CSM 4.29</STRONG>:<BR data-start="2226" data-end="2229" />2FA for administrative (Web GUI) access can be achieved only <STRONG data-start="2294" data-end="2331">via RADIUS or TACACS+ integration</STRONG>, depending on the 2FA configuration of the external authentication server.</P> </LI> </UL> <P data-start="2412" data-end="2475">Could you please confirm that this interpretation is correct?</P> <P data-start="2481" data-end="2627">Also, if available, could you provide a Cisco reference confirming these integration models for ASA and CSM (for documentation or audit purposes)?</P> <P data-start="2481" data-end="2627">Best</P> Tue, 04 Nov 2025 11:28:51 GMT https://community.cisco.com/t5/secure-access-discussions/cisco-asa5525-2fa-solution/m-p/5344363#M104 MJ666 2025-11-04T11:28:51Z https://community.cisco.com/t5/secure-access-discussions/cisco-asa5525-2fa-solution/m-p/5344375#M105 <P>Yes, that's my understanding. I found these links that might be useful:</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/security_manager/428/user/csm-user-guide-428/chapter48-configuring-device-administration-policies-on-firewall-devices.html#con_747388" target="_blank">User Guide for Cisco Security Manager 4.28 - Configuring Device Administration Policies on Firewall Devices [Cisco Security Manager] - Cisco</A></P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/asa/asa916/configuration/general/asa-916-general-config/admin-management.html" target="_blank">CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.16 - Management Access [Cisco Secure Firewall ASA] - Cisco</A></P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/asa/asa916/asdm716/general/asdm-716-general-config/admin-management.html" target="_blank">ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.16 - Management Access [Cisco Firepower 4100 Series] - Cisco</A></P> Tue, 04 Nov 2025 11:50:04 GMT https://community.cisco.com/t5/secure-access-discussions/cisco-asa5525-2fa-solution/m-p/5344375#M105 Aref Alsouqi 2025-11-04T11:50:04Z