cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
965
Views
4
Helpful
6
Replies

ASA VPN Any connect MFA Solutions

abtt-39
Level 1
Level 1

Hello,

We have users connecting through the VPN (SSL VPN) with the any connect client. I'm asked to look at possible solutions to add an MFA authentication.

Currently, users log into the VPN with their LDAP account.
the ASA queries an internal radius server (NPS) which links with our LDAP (Windows Active Directory) server.

Is there a solution integrated into the ASA? If not, what are the possible solutions?

6 Replies 6

balaji.bandi
Hall of Fame
Hall of Fame
In this video we will configure the Anyconnect Application within Azure AD enterprise applications for integration. We will assign HR1, IT1, and Sales1 users to the application. We will then move to the ASA and finalize the configuration and finish off with some testing I have included the ...

abtt-39
Level 1
Level 1

thanks balaji.bandi

and without azure? 
Is there an internal solution (not in the cloud?)

Any MFA option will require a third party product. The most common ones are cloud-hosted (Cisco Duo, Microsoft Entra ID with Authenticator, Okta, etc. - those are probably 90% of the market). A few are available in self-hosted options (RSA SecureID come to mind).

Not that i am aware any MFA on prem - even they are on prem, they going to some connector to Cloud

Like example Safenet. you can build own MFA using some opensource (long way to go)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

There isn't one "in the ASA", its all in what you point it at.
Old school was RSA, with a second RADIUS auth going to the RSA server for the fob.
Other options are:
SAML where 2 factor is set up (ADFS, DUO Single Sign On, Azure AD, etc.)
LDAP to an auth proxy for a 2 factor app, like DUO
RADIUS to an auth proxy for a 2 factor app, like DUO (this is basically what you're doing today, but you replace NPS with Duo Auth Proxy)

SecureAuth had an on-prem box, they've gone "hybrid" now.

thank you for your answers, I will study these solutions, I will probably come back later to ask questions