Cisco Anyconnect w/ Microsoft MFA - Radius Challenge and Response

stevenle · ‎03-03-2017

Have a Cisco ASA 5515-X v9.3 and latest Anyconnect client 4.x. We are testing a new Microsoft Multi Factor authentication server. Added it as a Radius server and it works like a charm. Here is the scenario I am trying to configure. It all works except for number 6. Not sure how to confi

1) The anyconnect client connects to our ASA
2) The ASA uses the radius server in the profile to authenticate the user
3) User inputs their AD password.
4) User gets a request to mutli factor authenticate with a pin or thumbprint on their smartphone.
5) User misses or never receives the notification to authenticate on the smartphone
6) User opens the app, receives a code and the types in the 6 digit code into anyconnect to authenticate as a secondary authentication option

For number 6, Microsoft stated that the ASA needed to be able to challenge and response. I was thinking this was a Secondary authentication method in the Anyconnect profile, but that isn't it.

Does anyone have a setup like this? Or familiar with this type of setup?

Rahul Govindan · ‎03-05-2017

I don't think you need a secondary authentication method for this. Referencing the below guide, I believe the OATH method can just be an input into field once you use the Authenticator App.

https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-advanced-vpn-configurations

Are you not getting the prompt to enter the credentials once you generate the code?

stevenle · ‎03-06-2017

Our Microsoft authenticator app has two authentication methods. First, when the ASA sends a Radius request, the app will provide a pop asking the user to Approve or Deny the connection. If for some reason the user does not hit the approve / deny or doesn't get that notification, the app uses a secndary backup method. The secondary method is to provide a 6 digit code.

We hit connect on the Anyconnect client. Connect to the ASA and get username / password credentials. These are AD credentials. We input our credentials and hit ok. Then as second factor auth, our ms authenticator app on our smartphone prompts us to approve / deny this connection.

If for some reason the user misses the approve / deny request, the Microsoft authenticator app also creates a 6 digit code as a backup. We would like the ASA to provide a passcode pop up for this if the user has not approved or denied the connection with the Microsoft authenticator initial request.

Hopefully this doesn't sound too confusing.

stevenle · ‎03-06-2017

Basically I want the ASA to challenge a non-response from the Radius server with a passcode option.

If the user does not approve / deny the connectivity for whatever reason, we would like the ASA to present a passcode option. If the user isn't getting the approve / deny password prompt on the authenticator app then they could manually enter the passcode provided. But the ASA needs to provide that option after waiting and not receiving the initial approve / deny response.

lillianwright46746 · ‎10-30-2019

No I am not getting a request

mdbnn · ‎03-20-2020

Did you ever solve this issue? We are looking at implementing the same solution and I am not seeing a way for a backup authentication method.