Solved: FIDO2 support or planned support for Anyconnect?

Chris Evans · ‎05-06-2019

All:

I've got a customer that has a business requirement for FIDO2 (WebauthN)authentication for their VPN clients. They plan on using Yubikey or similar token hardware for end users to authenticate.

From what I've seen so far, this isn't supported in Radius yet - are there any plans to do so in particular with Anyconnect?

Rahul Govindan · ‎05-06-2019

This is not supported on AnyConnect as of today. I was able to get yubikey OTP to work with AnyConnect in combination with Duo. This is a complicated manual setup though and I would not recommend it for an admin with a lot of hardware tokens to manage.

The enhancement bug raised for U2F integration on AnyConnect is here:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvo19158

I would reach out to your Cisco Account Manager to see if there any traction on this request.

View solution in original post

Rahul Govindan · ‎05-06-2019

This is not supported on AnyConnect as of today. I was able to get yubikey OTP to work with AnyConnect in combination with Duo. This is a complicated manual setup though and I would not recommend it for an admin with a lot of hardware tokens to manage.

The enhancement bug raised for U2F integration on AnyConnect is here:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvo19158

I would reach out to your Cisco Account Manager to see if there any traction on this request.

Chris Evans · ‎05-07-2019

Thanks for the quick reply! Very helpful.

After reading your reply I subsequently wondered if there'd be better luck for this if we used the thin client rather than the full Anyconnect client - perhaps that would add the client-side support needed for FIDO2 authentication? I worry that opens a can of worms over control of the browsers the end-users have and whether they have support for FIDO2 as well though.

Rahul Govindan · ‎05-07-2019

Chris,

I think this would require some custom javascript to be installed on the ASA to let the U2F registration/verification process to complete (hence validating the user) and an validation service like Duo/RSA that understands the hardware tokens. Duo had done something similar for their mobile token based service for clientless SSLVPN.

https://duo.com/docs/cisco

Unfortunately, I do not think there is any way to get U2F to work natively on the ASA.

MiguelRodriguez24531 · ‎10-07-2020

Hi all, I think full FIDO2 functionality can be achieved by leveraging the SAML capabilities already available in ASA and AnyConnect 4.6 and up. The problem as I see it is that currently AnyConnect is using an embedded browser that does not support FIDO2 Webauthn. Upgrading this component will fix this problem. It will be great to get an update on what are Cisco's plans to do this. We all have customers that are already using AzureAD, Duo, Okta, Ping and other FIDO2 and SAML capable Identity Providers, so this should be a very feasible integration. The embedded browser approach should take us there pretty quickly. Someone at Cisco can provide an update here con your plans for this?

Marvin Rhoads · ‎10-09-2020

Cisco only sporadically monitors these forums.

If you want the best outcome for your suggestion you should raise it through your Cisco Account Manager. Ask them to submit your request as a "Firestarter" request.

srathmann · ‎03-18-2022

Hello, now we have the year 2022. We have also the problem that the internal browser of anyconnect still does not support Webauth/FIDO2. We found some hints to enable the system browser, but in the current ASA config we do not find this feature.

Any hint how we get FIDo2 running with ADA, Anyconnect and Azure?

azadgm · ‎03-22-2022

Hello,
The external browser should work with current ASA software.

Release Notes for the Cisco ASA Series, 9.17(x) - Cisco

VPN Features
Local tunnel id support for IKEv2	Support has been added for local Tunnel id configuration for IKEv2. New/Modified commands: set ikev2 local-identity
Support for SAML Attributes with DAP constraint	Support has been added for SAML assertion attributes which can be used to make DAP policy selections. It also introduces the ability for a group-policy to be specified by the cisco_group_policy attribute.
Multiple SAML trustpoints in IDP configuration	This feature supports adding multiple IDP trustpoints per SAML IDP configuration for applications that support multiple applications for the same Entity ID. New/Modified commands: saml idp-trustpoint <trustpoint-name>
AnyConnect VPN SAML External Browser	You can now configure AnyConnect VPN SAML External Browser to enable additional authentication choices, such as passwordless authentication, WebAuthN, FIDO, SSO, U2F, and an improved SAML experience due to the persistence of cookies. When you use SAML as the primary authentication method for a remote access VPN connection profile, you can elect to have the AnyConnect client use the client’s local browser instead of the AnyConnect embedded browser to perform the web authentication. This option enables single sign-on (SSO) between your VPN authentication and other corporate logins. Also choose this option if you want to support web authentication methods, such as biometric authentication and Yubikeys, that cannot be performed in the embedded browser. New/Modified commands: external-browser
VPN Load balancing with SAML	ASA now supports VPN load balancing with SAML authentication.