Hi @balaji.bandi , 

We are looking for various Admin and remote VPN solutions.
The ultimate goal is to choose the best solution in both cases.

I'm not sure I understand your comment “Cisco Security Manager (CSM) - you can configure the same for Web GUI access.”
Could you elaborate, please?

Best

@balaji.bandi  

Thank you for your feedback.
To clarify my request:

• I’m referring to two-factor authentication (2FA) for administrative access (SSH, ASDM, or CSM Web GUI), not for remote VPN users.

• We would like to know which 2FA mechanisms are officially supported on:

  1. Cisco ASA 5525 (running ASA version 9.16)

  2. Cisco Security Manager (CSM version 11.5(4))

Specifically:

• Does ASA natively support direct integration with 2FA providers (e.g., Duo, RSA SecureID, Microsoft Azure MFA, etc.), or must it always rely on an external RADIUS server such as Cisco Prime Infrastructure or ISE or Duo Authentication Proxy?

• For CSM, can 2FA be directly configured for the Web GUI login, or is it only possible through integration with an external authentication server (e.g., LDAP or RADIUS with 2FA)?

A clear confirmation or documentation link for the supported 2FA options for both ASA and CSM would be appreciated.

@balaji.bandi  I'm using RADIUS authentication

@Aref Alsouqi  

Thank you for your feedback.
To clarify my request:

• I’m referring to two-factor authentication (2FA) for administrative access (SSH, ASDM, or CSM Web GUI), not for remote VPN users.

• We would like to know which 2FA mechanisms are officially supported on:

  1. Cisco ASA 5525 (running ASA version 9.16 manage per CLI or CSM Weg GUI)

  2. Cisco Security Manager (CSM version 4.29)

Specifically:

• Does ASA natively support direct integration with 2FA providers (e.g., Duo, RSA SecureID, Microsoft Azure MFA, etc.), or must it always rely on an external RADIUS/TACACS+ server such as Cisco Prime Infrasrtucture** or Cisco ISE or Duo Authentication Proxy?

• For CSM, can 2FA be directly configured for the Web GUI login, or is it only possible through integration with an external authentication server (e.g., LDAP or RADIUS with 2FA)?

A clear confirmation or documentation link for the supported 2FA options for both ASA and CSM would be appreciated.

On the ASA you can, however whether you configure the ASA to send the request directly to Duo or you pass through an external RADIUS server it won't change the fact that you will have to configure an external aaa server on the device. With regard to CSM, based on my knowledge it supports both RADIUS and TACACS.

User Guide for Cisco Security Manager 4.28 - Configuring Device Administration Policies on Firewall Devices [Cisco Security Manager] - Cisco

How do I protect SSH logins to my Cisco ASA?

@Aref Alsouqi

Thank you for the clarification.

So, to confirm my understanding:

• On ASA 5525 (ASA 9.16):
  2FA is supported through integration with an external AAA server (RADIUS or TACACS+) such as Cisco Prime Infrastructure 3.10.6. The ASA itself does not natively handle the second factor.

• On CSM 4.29:
  2FA for administrative (Web GUI) access can be achieved only via RADIUS or TACACS+ integration, depending on the 2FA configuration of the external authentication server.

Could you please confirm that this interpretation is correct?

Also, if available, could you provide a Cisco reference confirming these integration models for ASA and CSM (for documentation or audit purposes)?

Best

Yes, that's my understanding. I found these links that might be useful:

User Guide for Cisco Security Manager 4.28 - Configuring Device Administration Policies on Firewall Devices [Cisco Security Manager] - Cisco

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.16 - Management Access [Cisco Secure Firewall ASA] - Cisco

ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.16 - Management Access [Cisco Firepower 4100 Series] - Cisco