Re: Anyconnect MFA

abhijith891 · ‎11-26-2018

Hi All,

We have a simple Anyconnect structure in our environment where Anyconnect users are getting authenticated against AD for registered laptops. However, recently we could see some of our employees are trying to access our internal networks via Anyconnect on unregistered BYODs; so far none have been successful. So here are my queries:

1) Is it possible to access internal networks via Anyconnect on unregistered BYODs? If yes, how? And what are the workarounds for it?

2) What are some of the best MFA mechanisms which can be used with Anyconnect in the market today?

Dennis Mink · ‎11-26-2018

check this post:

https://community.cisco.com/t5/security-documents/configure-two-factor-authentication-on-asa-for-cisco-anyconnect/ta-p/3403768

can use symantec VIP, Duo and a few others

Please remember to rate useful posts, by clicking on the stars below.

Marvin Rhoads · ‎11-27-2018

Are you talking about AnyConnect Network Access Module (NAM) vs the VPN client?

Rahul Govindan · ‎11-28-2018

1) AnyConnect, by default, does not restrict which device a user can connect from. If you want to restrict AnyConnect to only corporate machines, you can use the Hostscan/DAP/Posture functionality to only allow Domain machines to connect successfully.

Example:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115947-dap-adv-functions-00.html#anc21

2) I think @Dennis Mink mentioned a few of them. Duo is now part of Cisco, and works well in my experience. Example guide are here:

https://duo.com/docs/cisco