11-01-2017 07:58 AM
I have a customer that currently uses Anyconnect 3.X for remote access to either a pair of ASA5545 (9.2(4)) or a pair of ASA5525 (9.4(4)). They are currently using AD for authentication but would like to add a second factor. They are using Azure MFA for their Citrix clients and would therefore like to use this for the Anyconnect as well. Are there any restrictions or limitations to this configuration?
FYI, I have already discussed upgrading to AC 4.X but they feel that because of the low usage of their current AC environment that unless there is a compelling reason to upgrade then they will stay with 3.X for awhile longer.
Any advice would be appreciated.
Solved! Go to Solution.
11-03-2017 02:13 PM
Yes, they definitely should be upgrading to 4.5 as 3.1 is very old now.
Secondary Authentication aka Double Authentication is very common and should still work with 3.1 but will for sure with 4.x.
It is configured on the ASA using ASDM on the current tunnel group under advanced. They will have to define access to Azure via ldap or Radius as a new AAA Server group
Secondary Authentication under Connection Profile > Advanced lets you configure secondary authentication, which is also know as double authentication. When secondary authentication is enabled, the end user must present two sets of valid authentication credentials in order to log on. You can use secondary authentication in conjunction with pre-filling the username from a certificate. The fields in this dialog box are similar to those you configure for primary authentication, but these fields relate only to secondary authentication.
When double authentication is enabled, these attributes choose one or more fields in a certificate to use as the username. Configuring the secondary username from certificate attribute forces the security appliance to use the specified certificate field as the second username for the second username/password authentication.
Source: ASDM Help
Azure Multi-Factor Authentication integrates with your Cisco® ASA VPN appliance to provide additional security for Cisco AnyConnect® VPN logins and portal access. You can use either the LDAP or RADIUS protocol. Select one of the following to download the detailed step-by-step configuration guides.+
Configuration Guide | Description |
---|---|
Cisco ASA with Anyconnect VPN and Azure MFA Configuration for LDAP | Integrate your Cisco ASA VPN appliance with Azure MFA using LDAP |
Cisco ASA with Anyconnect VPN and Azure MFA Configuration for RADIUS | Integrate your Cisco ASA VPN appliance with Azure MFA using RADIUS |
11-03-2017 10:23 AM
Can anyone please offer some advice?
11-03-2017 02:13 PM
Yes, they definitely should be upgrading to 4.5 as 3.1 is very old now.
Secondary Authentication aka Double Authentication is very common and should still work with 3.1 but will for sure with 4.x.
It is configured on the ASA using ASDM on the current tunnel group under advanced. They will have to define access to Azure via ldap or Radius as a new AAA Server group
Secondary Authentication under Connection Profile > Advanced lets you configure secondary authentication, which is also know as double authentication. When secondary authentication is enabled, the end user must present two sets of valid authentication credentials in order to log on. You can use secondary authentication in conjunction with pre-filling the username from a certificate. The fields in this dialog box are similar to those you configure for primary authentication, but these fields relate only to secondary authentication.
When double authentication is enabled, these attributes choose one or more fields in a certificate to use as the username. Configuring the secondary username from certificate attribute forces the security appliance to use the specified certificate field as the second username for the second username/password authentication.
Source: ASDM Help
Azure Multi-Factor Authentication integrates with your Cisco® ASA VPN appliance to provide additional security for Cisco AnyConnect® VPN logins and portal access. You can use either the LDAP or RADIUS protocol. Select one of the following to download the detailed step-by-step configuration guides.+
Configuration Guide | Description |
---|---|
Cisco ASA with Anyconnect VPN and Azure MFA Configuration for LDAP | Integrate your Cisco ASA VPN appliance with Azure MFA using LDAP |
Cisco ASA with Anyconnect VPN and Azure MFA Configuration for RADIUS | Integrate your Cisco ASA VPN appliance with Azure MFA using RADIUS |
11-06-2017 10:26 AM
Excellent. Thanks for your reply, Paul.
03-04-2020 04:10 PM
Now that the MFA server has been discontinued by Microsoft. Is there still a way to achieve this?
03-05-2020 02:38 AM
Hi,
MFA is still available, cloud-based.
Regards,
Cristian Matei.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide