Solved: Cisco ASA AnyConnect MFA options

LovejitSingh1313 · ‎01-24-2021

Hello Experts @Richard Burts @balaji.bandi @Marius Gunnerud @Rob Ingram @Marvin Rhoads @Giuseppe Larosa

I am looking for options for 2nd factor authentication on Cisco ASA Any Connect VPN Connectivity? Please also what kind of additional license or packages need.

I never implemented anything else than Domain authentication for it.

Thanks

AViftrup · ‎01-25-2021

There's many possibilities to solutions you can implement.

You mention you know about domain integrations. If you're a user of Azure AD you can do O365 MFA with ASA along with SAML 2.0 - this will make your user management and MFA controllable from Office365 Administration.

Other solutions would be things like SMSPasscode which can fetch details by LDAP or Radius directly, and get 2FA by Call or SMS - newest version support app I believe as well.

Otherwise Cisco Duo MFA would be excellent, but comes with license requirements of course.

View solution in original post

Rob Ingram · ‎01-24-2021

@LovejitSingh1313

There many many MFA solutions, such as Cisco DUO https://duo.com or OCTA https://www.okta.com/products/adaptive-multi-factor-authentication/.

Marvin Rhoads · ‎01-25-2021

In general, all of the MFA products (Duo, Okta, Microsoft etc.) are separate from the ASA and require their own licensing and administration. Each works well with an ASA (or FTD) remote access VPN; but it is generally recommended to take into account other systems in use or planned in your organization when choosing an MFA solution.

balaji.bandi · ‎01-25-2021

You can have Duo is good, i also have good experience SAFEnet / or any MFA is good now a days. it is just addintional security for the layer of security.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

AViftrup · ‎01-25-2021

There's many possibilities to solutions you can implement.

You mention you know about domain integrations. If you're a user of Azure AD you can do O365 MFA with ASA along with SAML 2.0 - this will make your user management and MFA controllable from Office365 Administration.

Other solutions would be things like SMSPasscode which can fetch details by LDAP or Radius directly, and get 2FA by Call or SMS - newest version support app I believe as well.

Otherwise Cisco Duo MFA would be excellent, but comes with license requirements of course.

LovejitSingh130013 · ‎06-13-2022

Hello @Marvin Rhoads @Rob Ingram @AViftrup @balaji.bandi

I had profile setup with Azure MFA and it is working flawless but Anyconnect only prompt for credentials and go through MFA first time and then keep connecting automatic.

I want that it should atleast reprompt for credentials once a week.

Rob Ingram · ‎06-13-2022

@LovejitSingh130013 define the VPN timeout -vpn-session-timeout so the session ends after x minutes and the user is forced to re-authenticate.

Mohammed al Baqari · ‎06-13-2022

Hi,

On ASA/FTD no additional licenss needed for MFA. There are many options to
proceed. Personally I prefer SAML SSO for AAD clients (don't go for MS
onprem MFA as it's EOL). Otherwise, DUO is the 2nd way to go.

**** please remember to rate useful posts