Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6668
Views
3
Helpful
5
Replies

Secure Cisco ASDM with MFA?

Go to solution
__Beth__
Level 1
Level 1

‎08-17-2020 08:05 AM

Hello,

We need to setup our Cisco firewall with MFA. Everything I am reading refers to Cisco AnyConnect, which we do not use. Can Duo be used with to setup ASDM with MFA? Any tips would be appreciated.

Thank you,

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Amy2
Level 5
Level 5

‎08-19-2020 08:16 AM

Ok, I consulted with Product Manager @lgreer, so full credit for the answer goes to him

The ASDM login can be protected with a few different forms of authentication. RADIUS is one of them, so the generic RADIUS documentation with the Duo Authentication Proxy is a solid option. That being said, since you have ISE in the mix, you can add the Duo Auth Proxy to your ISE authentication flow instead, and then any device that uses the ISE as the AAA server will, in turn, have Duo. Based on your latest post, the ISE Duo docs would probably be the best path forward.

You have two options though:

  1. Protect the ASDM directly with the Duo AuthProxy via RADIUS in conjunction with the generic RADIUS docs.
Authenticating Cisco ASDM Connections
Complete the following steps to configure authentication for ASDM administrative connections to the Cisco ASA using ASDM:
Step 1. Log in to ASDM and navigate to Configuration > Device Management > Users/AAA > AAA Access > Authentication.
Step 2. Select HTTP/ASDM under the Require Authentication for the Following Types of Connections section.
Step 3. In this example, the RADIUS server previously configured in the AAA server group (my-radius-group) is used for authentication.
Step 4. If you would like to fall back to the local user database in case the RADIUS server fails, select Use LOCAL when Server Group Fails.
Step 5. Click OK.
Step 6. Click Apply to apply the configuration changes.
Step 7. Click Save to save the configuration in the Cisco ASA.
  1. Use the Duo Cisco ISE docs and add the option for Duo 2FA on any network device that utilizes ISE as its AAA server.

View solution in original post

5 Replies 5

Go to solution
Amy2
Level 5
Level 5

‎08-18-2020 08:49 AM

Hi @NVLady,

I’m not sure about protecting ASDM. You can protect access to the ASA directly using the Duo RADIUS integration, so long as your ASA is authenticating with an Active Directory or Radius server that is not on the ASA itself. For anyone reading, Cisco Adaptive Security Device Manager (ASDM) lets you manage Adaptive Security Appliance (ASA) firewalls. I made the assumption you are using ASA, just not the AnyConnect client to connect? Please correct me if I’m wrong

You might want to check out the Cisco community for help, too. I found this thread on how to configure 2FA for ASDM on ASA 5512-X that seems useful here. You can also contact our Duo Support team or the Cisco Support team

0 Helpful

Go to solution
__Beth__
Level 1
Level 1

‎08-18-2020 09:15 AM

Thank you for your response. We currently use radius authentication with AD/ISE. We have a mandate to use dual factor authentication when logging into the Cisco ASDM to administer the device. Ultimately, we would like to use this for authenticating to all of our other network devices.

We do not use AnyConnect with the device in questions. This would just be for device management.

Thanks again!

0 Helpful

Go to solution
Amy2
Level 5
Level 5

‎08-19-2020 08:16 AM

Ok, I consulted with Product Manager @lgreer, so full credit for the answer goes to him

The ASDM login can be protected with a few different forms of authentication. RADIUS is one of them, so the generic RADIUS documentation with the Duo Authentication Proxy is a solid option. That being said, since you have ISE in the mix, you can add the Duo Auth Proxy to your ISE authentication flow instead, and then any device that uses the ISE as the AAA server will, in turn, have Duo. Based on your latest post, the ISE Duo docs would probably be the best path forward.

You have two options though:

  1. Protect the ASDM directly with the Duo AuthProxy via RADIUS in conjunction with the generic RADIUS docs.
Authenticating Cisco ASDM Connections
Complete the following steps to configure authentication for ASDM administrative connections to the Cisco ASA using ASDM:
Step 1. Log in to ASDM and navigate to Configuration > Device Management > Users/AAA > AAA Access > Authentication.
Step 2. Select HTTP/ASDM under the Require Authentication for the Following Types of Connections section.
Step 3. In this example, the RADIUS server previously configured in the AAA server group (my-radius-group) is used for authentication.
Step 4. If you would like to fall back to the local user database in case the RADIUS server fails, select Use LOCAL when Server Group Fails.
Step 5. Click OK.
Step 6. Click Apply to apply the configuration changes.
Step 7. Click Save to save the configuration in the Cisco ASA.
  1. Use the Duo Cisco ISE docs and add the option for Duo 2FA on any network device that utilizes ISE as its AAA server.

Go to solution
__Beth__
Level 1
Level 1

‎08-19-2020 09:03 AM

This is wonderful!! Thank you both very much for the time and effort you put in to getting this information for me. I very much appreciate it.

Go to solution
Luca Berlinghieri
Level 1
Level 1

‎12-18-2023 05:47 AM

the DUO solution for MFA work fine for SSH access but with ASDM there are some issues, during authentication we are continuosly prompted for a lot of push, this happen continuosly while ASDM application were loaded, anyone other got this same behaviour ?

Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents