Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
407
Views
3
Helpful
6
Replies

HTTPS Flow Authentication through an ASA using Google Authenticator

jamesholley
Level 1
Level 1

‎01-07-2025 07:42 AM

Hello all

We are looking to set up on Cisco ASA the following flow.

We are using ssl vpn, and wanted to enforce new connections in from the outside using AAA, and sending the authentication request from the ASA to a back end server running RADUIS and using Google authenticator to provide 2FA for new connections.

Just looking for some guidance as to whether this is possible and whether anyone else has set up something similar.

Thanks in advance

 

James

Labels:
6 Replies 6

ccieexpert
VIP
VIP

‎01-07-2025 08:27 AM

Yes it is possible. The big question is what is your identity source ? where do you have the users defined ? If you have MS365/ENTRA, then it comes with free MS authenticator, then i would go that path.. or another identity source, it may be best to use that, unless you want to create each user on the radius server and enable 2FA.. i have done it with freeradius and google authenticator.

Here is a example :

https://networkjutsu.com/freeradius-google-authenticator/

he has a article for newer version 3.x of freeradius...

i would not recommend it unless you have no other identity source such as Entra/Azure or google workspace or any other identity source that has MFA capabilities.

**If that was useful , Please rate as helpful**

 

MadAxeman1
Level 1
Level 1
In response to ccieexpert

‎01-08-2025 12:42 PM

Hi community,

I can confirm that this worked, we don't have any other option to use any IDP so RADIUS & GAuth is all we can use as far as I can see..

Thanks PeteNet but we are not using AnyConnect

0 Helpful

ccieexpert
VIP
VIP
In response to MadAxeman1

‎01-08-2025 02:10 PM

ok you didnt answer my questions.. where are the users today ? are they on on prem AD or somewhere else ? radius and google auth by itself will require you to create users locally which is ok, but i assume you already have another identity source right ?

0 Helpful

ahollifield
VIP
VIP

‎01-07-2025 01:03 PM

Yes but why not use SAML?  Why use RADIUS at all here?

0 Helpful

ccieexpert
VIP
VIP
In response to ahollifield

‎01-07-2025 01:22 PM

Yes SAML if they have a IDP, otherwise you have to use radius with google authenticator.

0 Helpful

MHM Cisco World
VIP
VIP

‎01-08-2025 08:33 AM

https://www.petenetlive.com/KB/Article/0001256?amp=1

Check this 

MHM

0 Helpful
Customers Also Viewed These Support Documents