Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1102
Views
0
Helpful
3
Replies

CISCO ASA Two Factor Authentication configuration (NON-VPN)

Go to solution
Abhijit Chakraborty
Level 1
Level 1

‎06-06-2017 10:05 AM - edited ‎03-12-2019 02:28 AM

Hello All Experts out here, hope you are having a good time and can spare some time to help me.

I have a requirement where I need to leverage two factor authentication for accessing servers behind a DMZ. I have searched a lot of sites but they all talk about how it can be done with a VPN session but I want 2FA for regular traffic from host residing in the Inside zone of the firewall to the servers in the DMZ zone.

The first factor is username password that will be using the LDAP server located on the Inside zone of the firewall.

The second factor is the One Time Safenet Token and the safenet server resides in the internet on the Outside zone of the firewall.

I have got below link which solves only part of the requirement
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113363-asa-cut-through-config-00.html

Can any of you please assist/ guide me to meet the requirement. A call with CISCO TAC did not help me :(

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-06-2017 11:03 AM

When the ASA is acting as an authentication proxy (like in the document you mentioned) it only supports a single factor authentication in that respect.

You could make access to the DMZ require VPN even for internal clients. I have seen customer do this in a university setting where they segment staff-only resources from students.

Or you could implement 2FA on the servers themselves.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-06-2017 11:03 AM

When the ASA is acting as an authentication proxy (like in the document you mentioned) it only supports a single factor authentication in that respect.

You could make access to the DMZ require VPN even for internal clients. I have seen customer do this in a university setting where they segment staff-only resources from students.

Or you could implement 2FA on the servers themselves.

0 Helpful

Go to solution
Abhijit Chakraborty
Level 1
Level 1
In response to Marvin Rhoads

‎06-07-2017 02:48 AM

Hi Marvin, I am a fan of your posts and it is great to see your response here. Thank you.

We want to avoid 2FA on the servers as it will increase the overhead of managing them.

When you suggest VPN, are you suggesting a clientless VPN configuration here?

I have come to know the requirement I am talking about can be achieved with a checkpoint device without VPN configuration. So I thought CISCO ASA will also have a similar feature as well.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Abhijit Chakraborty

‎06-07-2017 03:09 AM

I wasn't specifically thinking client-based or clientless VPN.

But 2FA is supported for Cisco ASA VPNs. It is not an available feature for authentication proxy.

There will always be one feature or another that a given vendor has vs. another. It's up to you to decide whether that single feature is worth changing firewall vendors.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card