Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
799
Views
4
Helpful
6
Replies

ASA VPN Any connect MFA Solutions

abtt-39
Level 1
Level 1

‎11-27-2023 07:30 AM

Hello,

We have users connecting through the VPN (SSL VPN) with the any connect client. I'm asked to look at possible solutions to add an MFA authentication.

Currently, users log into the VPN with their LDAP account.
the ASA queries an internal radius server (NPS) which links with our LDAP (Windows Active Directory) server.

Is there a solution integrated into the ASA? If not, what are the possible solutions?

Labels:
0 Helpful
6 Replies 6

balaji.bandi
Hall of Fame
Hall of Fame

‎11-27-2023 08:50 AM

You can use Azure MFA as below guide :

https://cloudexchangers.com/configuring-azure-mfa-for-cisco-vpn-using-the-nps-server/

https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-nps-extension-vpn

https://sennovate.medium.com/implementing-cloud-azure-mfa-for-asa-vpn-and-cisco-anyconnect-f46eda98661b

 

Good videos :

https://www.youtube.com/watch?v=ORC0_0wsbQk

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

https://www.youtube.com/watch?v=ORC0_0wsbQk
youtube.com/watch?v=ORC0_0wsbQk
In this video we will configure the Anyconnect Application within Azure AD enterprise applications for integration. We will assign HR1, IT1, and Sales1 users to the application. We will then move to the ASA and finalize the configuration and finish off with some testing I have included the ...

abtt-39
Level 1
Level 1

‎11-28-2023 01:10 AM

thanks balaji.bandi

and without azure? 
Is there an internal solution (not in the cloud?)
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to abtt-39

‎11-28-2023 01:29 AM

Any MFA option will require a third party product. The most common ones are cloud-hosted (Cisco Duo, Microsoft Entra ID with Authenticator, Okta, etc. - those are probably 90% of the market). A few are available in self-hosted options (RSA SecureID come to mind).

balaji.bandi
Hall of Fame
Hall of Fame
In response to abtt-39

‎11-28-2023 08:30 AM

Not that i am aware any MFA on prem - even they are on prem, they going to some connector to Cloud

Like example Safenet. you can build own MFA using some opensource (long way to go)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Ken Stieers
VIP
VIP

‎11-28-2023 09:50 AM

There isn't one "in the ASA", its all in what you point it at.
Old school was RSA, with a second RADIUS auth going to the RSA server for the fob.
Other options are:
SAML where 2 factor is set up (ADFS, DUO Single Sign On, Azure AD, etc.)
LDAP to an auth proxy for a 2 factor app, like DUO
RADIUS to an auth proxy for a 2 factor app, like DUO (this is basically what you're doing today, but you replace NPS with Duo Auth Proxy)

SecureAuth had an on-prem box, they've gone "hybrid" now.

abtt-39
Level 1
Level 1
In response to Ken Stieers

‎11-30-2023 12:33 AM

thank you for your answers, I will study these solutions, I will probably come back later to ask questions

0 Helpful
Customers Also Viewed These Support Documents