cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


177
Views
0
Helpful
2
Replies
Beginner

Configure 2FA for ASDM on ASA 5512-X

I have been trying to configure 2FA for the ASDM UI for our ASA 5512-X. There has been no success and it seems that there is no software solution. Yes, there is 2FA for Any Connect and for VPN, but not for an administrator using ASDM. This is something that is being pushed for security reasons of course. Is there any one who knows how to do it natively or is there a 3rd party software application that can do the job.

 

Thank you,

Robert

Everyone's tags (1)
2 REPLIES 2
Highlighted
Beginner

Re: Configure 2FA for ASDM on ASA 5512-X

Hi,

 

We use Azure MFA server and the configuration is near identical to creating radius configuration on NPS. For the ASA define your radius servers, which is our MFA server i.e.

 

aaa-server RADIUS (inside) host x.x.x.x
 timeout 60
 key xxxxx

 

We increase the timeout value to cater for user input of their preferred MFA method, phone call, sms, app.

 

Configure the AAA statements

aaa authentication ssh console RADIUS LOCAL
aaa authentication enable console RADIUS LOCAL
aaa authentication http console RADIUS LOCAL

 

On the MFA server need to define the client (ASA) and what AD group etc an admin is a memberof. You may wish to define other radius attributes. That's about it. You can test via the cli with the below.

 

test aaa-server authentication RADIUS host x.x.x.x username xxxx password xxxxx

 

 

Joel

Beginner

Re: Configure 2FA for ASDM on ASA 5512-X

Joel,

 

Thanks for the reply. We don't use Azure here as everything is on a classified system and the last thing the boss wants to do is to add another server. We currently use TACACS for logging into the firewall per security requirement, I am looking to use a token/CAC solution to meet newer security requirements. The best solution is to be able to reference the CAC/token for identity via a certificate and either verify against AD or the Cisco's ISE server's internal identity store.

 

Again, thank you for your response.