Showing results for 
Search instead for 
Did you mean: 

Active/Standard ASA - Two-Factor VPN Capabilities?

Hi Folks,

I have been asked to deploy a small-scale remote access solution to one of our existing network perimeters.  I have been carrying out some online research and think I have identified a low-cost solution, but I'd appreciate it if my thinking could be confirmed by the experienced support community!

Current Setup: ASA 5520 8.4(2) pair configured in Active/Standby acting as perimeter firewall

Requirement:  Deploy Remote Access VPN with Two-Factor Authentication

Userbase: 5 - 10 users

VPN-Exposed Destination: A single host on inside - ports 3389/tcp (Remote Desktop) and 22/tcp (SFTP)

Solution Consideration: Needs to be as low cost as possible!

The 2FA solution I am leaning towards is the ASA's local user database (what you know) in conjunction with per-user certificates (what you have).

First Question - I believe that as the ASA is operating as A/S failover, I cannot use the ASA's local CA server - could someone please confirm if this is a case of "can not" or "should not"?  I believe the CA database cannot be replicated between the ASA units, but temporarily losing VPN capability in the event of a failover situation is an acceptable risk for this environment.

Second Question - If the local ASA CA is not an option, are there any potential pitfalls I should be aware of with leveraging a Windows Server 2003 R2 domain controller CA on the inside of the firewall as an alternative?

Final Question - I was hoping that Cisco's IPSEC VPN Client would allow for two-factor authentication, but it appears this is not the case and only the SSL VPN supports this.  This will unfortuntely require a license purchase; would the AnyConnect Essentials (ASA-AC-E-55XX=) suffice, as I believe this will be the lowest cost option?  We want to keep it as simple as possible, and purely require the users to have directly-routed access to the inside host on the two ports stated (we don't want to use the 'clientless' HTTPS-based VPN portal, for example).

Many thanks in advance,




I must say first off, that a pair of 5520's for 5/10 users is overkill.

First Question - do you require the need for machine certificate or user cetification authentication? Why?

Second Question - As per first question

Final Question - Cisco's IPSEC VPN client does support Two-Factor authentication.


Hi Andrew,

Many thanks for your reply.

I agree that 5520's would be overkill for this minor VPN deployment if that was their only intended function, however the pair are responsibly for a much larger role in the perimeter design; the choice for the 5520s stems from other more important design requirements, including that all four network uplinks are GB to ensure the ASA is does not represent a throughput bottleneck.

Group certificate authentication was not deemed appropriate for two-factor authentication purposes by our industry security assessors, so per-user certificate authentication was recommended as the alternative.

I have now implemented the AnyConnect solution as planned, with username prefilled per-user certificates and the MS CA and all seems to be operating well.  The low cost AnyConnect Essentials licenses provided more than enough functionality to satisfy this configuration.

Best regards,


Recognize Your Peers
Content for Community-Ad