Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3071
Views
5
Helpful
5
Replies

What is the right AnyConnect-license for two factor authentication?

Go to solution
swscco001
Level 3
Level 3

‎09-10-2021 04:43 AM

Hello everybody,

our customer is planning two factor authentication (e.g. DUO) for
AnyConnect access to their FTDs.

I am not sure what license-license is the correct one. Is it enough
to use the Plus lisense or do they need the Apex license.

I did not find the answer in the AnyConnect ordering guide.

Thanks a lot for your hints!


 

Bye
R.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-10-2021 05:39 AM

Generally speaking AnyConnect is just passing whatever authentication credential(s) the user or endpoint provides to the headend device (ASA, FTD or router) and/or configured authentication server(s).

So you can equally use AnyConnect Plus, Apex or VPN only licenses in the basic 2FA use cases (i.e.  where the 2FA happens on the "back end").

If your 2FA is implemented via SAML (as is commonly the case with both Cisco Duo and Microsoft Azure AD with Authenticator) then  AnyConnect Apex licenses are required.

View solution in original post

5 Replies 5

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎09-10-2021 05:12 AM - edited ‎09-10-2021 05:35 AM

RA VPN license, any of the following: AnyConnect Plus, AnyConnect Apex, or AnyConnect VPN Only

 

Check here for License :

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/621/configuration/guide/fpmc-config-guide-v621/licensing_firepower_system.html

 

You need to buy any connect license  (it come with 25 start with)

https://www.cisco.com/c/en/us/products/collateral/security/anyconnect-og.html

 

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200191-AnyConnect-Licensing-Frequently-Asked-Qu.html#anc5

 

2Factor is additional cost depends on vendor you choose (like duo) or any other Google authenticator or 3rd party tokens

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-10-2021 05:39 AM

Generally speaking AnyConnect is just passing whatever authentication credential(s) the user or endpoint provides to the headend device (ASA, FTD or router) and/or configured authentication server(s).

So you can equally use AnyConnect Plus, Apex or VPN only licenses in the basic 2FA use cases (i.e.  where the 2FA happens on the "back end").

If your 2FA is implemented via SAML (as is commonly the case with both Cisco Duo and Microsoft Azure AD with Authenticator) then  AnyConnect Apex licenses are required.

Go to solution
swscco001
Level 3
Level 3
In response to Marvin Rhoads

‎09-12-2021 10:26 PM

Hi Marvin,

 

this was the information I needed.

 

Thanks a lot!

0 Helpful

Go to solution
ivhanez1212
Level 1
Level 1
In response to Marvin Rhoads

‎09-19-2023 09:03 AM

Hi Marvin,

Just wanted to ask, what other 2FA option is available for AnyConnect Plus (perpetual)?

I was trying to configure Azure MFA, I keep on getting failed to generate SAML AuthnRequest, then I saw your post that SAML needs Apex or VPN only license, saves me a lot of time in troubleshooting.

Thank you.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to ivhanez1212

‎09-19-2023 09:13 AM

@ivhanez1212 you can do 2FA (e.g. Duo or other) with RADIUS.

I have done this both with Duo Authentication Proxy (with Duo of course) and Microsoft NPS (with MS Authenticator MFA)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card