I will use screenshots of ASDM, and at the end I will add the required CLI commands. the diagram below show a diagram of the steps the FW goes through when using 2FA authentication:
As you can see inFig. 1the first step in the authentication process is to connect to ISE which then connects to AD, you could configure it to go to AD directly.
Any Connect Connection Profile
enable Cisco Anyconnect acces on the outside interface.
choose to "Bypass interface access lists for inbound VPN sessions
Now drill into the connection profile itself. (Fig.2)
Fig.2. shows that the authentication is set to AAA, which is offloaded to ISE using RADIUS, which authenticates, on (very likely) AD credentials. I will address the ISE configuration part of this in a separate post. So pretty much the first factor is the RADIUS authentication.
Because 2FA, uses two authentication sources, as the name suggest, you will also need to add a secondary authentication method, this time I have used a server group called VIP (using Symantec's VIP service).
If you are using Symantec or any 3rd party 2FA provider, such as through MS Azure, then you can decide to point your secondary AAA server to either an on premise 2FA gateway or a cloud thingy. Either way, from an ASA point of view you will need a different IP address. Typically, you will connect on ports tcp/1812 for authentication and tcp/1813 for accounting.
Configure a group policy to assign to your connection profile. I prefer to create a separate group policy for each profile, even though I would inherit most of the parameters from the default policy. This makes it easier to make changes that do not impact other connection profiles using the same default values. Assign this group policy to the connection profile in the step above. If you are going to use the Anyconnect client. You would need to select SSL VPN client.
Anyconnect prompt customisation
you might decide to change the anyconnect login prompt to state that the second authentication of a 2FA security code is required. For instance:
To do this, you will need to customize the client's language file:
Config > Remote Access VPN > Network (Client) Access > AnyConnect Customization/Localization > GUI Text and Messages. Edit the language file:
msgid "Second Password"
msgstr "VIP Access Security Code:"
group-policy AnyConnect_2FA attributes
anyconnect profiles value Test_Client_Profile type user
I was trying to monitir ASA from Zabbix by polling with protocol snmp v2c! It was success, exept one thing. I'd like to fetch information about CPU, Chassis and Accelerator temperature,but I failed. When I put on ASA command: - sh snmp-s...
I am actually in planning phase of a firewall migration project. I have a customer who wants to migrate from Checkpoint firewall to Cisco firepower.
Can anyone recommend a good conversion tool that I can use to convert rules from the...