cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5451
Views
5
Helpful
5
Replies

Anyconnect 3.X and Azure MFA

David Hild
Level 11
Level 11

I have a customer that currently uses Anyconnect 3.X for remote access to either a pair of ASA5545 (9.2(4)) or a pair of ASA5525 (9.4(4)). They are currently using AD for authentication but would like to add a second factor. They are using Azure MFA for their Citrix clients and would therefore like to use this for the Anyconnect as well. Are there any restrictions or limitations to this configuration?

FYI, I have already discussed upgrading to AC 4.X but they feel that because of the low usage of their current AC environment that unless there is a compelling reason to upgrade then they will stay with 3.X for awhile longer.

Any advice would be appreciated.

1 Accepted Solution

Accepted Solutions

pcarco
Cisco Employee
Cisco Employee

Yes, they definitely should be upgrading to 4.5 as 3.1 is very old now.

Secondary Authentication aka Double Authentication is very common and should still work with 3.1 but will for sure with 4.x.

It is configured on the ASA using ASDM on the current tunnel group under advanced.    They will have to define access to Azure via ldap or Radius as a new AAA Server group

Secondary Authentication under Connection Profile > Advanced lets you configure secondary authentication, which is also know as double authentication. When secondary authentication is enabled, the end user must present two sets of valid authentication credentials in order to log on. You can use secondary authentication in conjunction with pre-filling the username from a certificate. The fields in this dialog box are similar to those you configure for primary authentication, but these fields relate only to secondary authentication. 

When double authentication is enabled, these attributes choose one or more fields in a certificate to use as the username. Configuring the secondary username from certificate attribute forces the security appliance to use the specified certificate field as the second username for the second username/password authentication.

Source: ASDM Help

https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-advanced-vpn-configuratio…

Azure Multi-Factor Authentication integrates with your Cisco® ASA VPN appliance to provide additional security for Cisco AnyConnect® VPN logins and portal access. You can use either the LDAP or RADIUS protocol. Select one of the following to download the detailed step-by-step configuration guides.+

Configuration GuideDescription
Cisco ASA with Anyconnect VPN and Azure MFA Configuration for LDAPIntegrate your Cisco ASA VPN appliance with Azure MFA using LDAP
Cisco ASA with Anyconnect VPN and Azure MFA Configuration for RADIUSIntegrate your Cisco ASA VPN appliance with Azure MFA using RADIUS

View solution in original post

5 Replies 5

David Hild
Level 11
Level 11

Can anyone please offer some advice?

pcarco
Cisco Employee
Cisco Employee

Yes, they definitely should be upgrading to 4.5 as 3.1 is very old now.

Secondary Authentication aka Double Authentication is very common and should still work with 3.1 but will for sure with 4.x.

It is configured on the ASA using ASDM on the current tunnel group under advanced.    They will have to define access to Azure via ldap or Radius as a new AAA Server group

Secondary Authentication under Connection Profile > Advanced lets you configure secondary authentication, which is also know as double authentication. When secondary authentication is enabled, the end user must present two sets of valid authentication credentials in order to log on. You can use secondary authentication in conjunction with pre-filling the username from a certificate. The fields in this dialog box are similar to those you configure for primary authentication, but these fields relate only to secondary authentication. 

When double authentication is enabled, these attributes choose one or more fields in a certificate to use as the username. Configuring the secondary username from certificate attribute forces the security appliance to use the specified certificate field as the second username for the second username/password authentication.

Source: ASDM Help

https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-advanced-vpn-configuratio…

Azure Multi-Factor Authentication integrates with your Cisco® ASA VPN appliance to provide additional security for Cisco AnyConnect® VPN logins and portal access. You can use either the LDAP or RADIUS protocol. Select one of the following to download the detailed step-by-step configuration guides.+

Configuration GuideDescription
Cisco ASA with Anyconnect VPN and Azure MFA Configuration for LDAPIntegrate your Cisco ASA VPN appliance with Azure MFA using LDAP
Cisco ASA with Anyconnect VPN and Azure MFA Configuration for RADIUSIntegrate your Cisco ASA VPN appliance with Azure MFA using RADIUS

Excellent. Thanks for your reply, Paul.

Now that the MFA server has been discontinued by Microsoft.  Is there still a way to achieve this?

Hi,

 

   MFA is still available, cloud-based.

https://docs.microsoft.com/en-us/azure/active-directory/authentication/multi-factor-authentication-faq

 

 

Regards,

Cristian Matei.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: