cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1658
Views
0
Helpful
3
Replies

Cisco ASA Remote Access VPN w/ ISE as a Radius Server + Yubikey as 2FA

latenaite2011
Level 4
Level 4

Hi Everyone,

 

Does anyone know if we can configure Cisco ASA Remote Access VPN using ISE as a Radius server with Yubikey as a two factor authentication?  I read that there might be a password limitation of 32 characters and the Yubikey uses 132 characters.

 

If so, do you have any configuration example?

3 Replies 3

Mike.Cifelli
VIP Alumni
VIP Alumni

Does anyone know if we can configure Cisco ASA Remote Access VPN using ISE as a Radius server with Yubikey as a two factor authentication? 

-I have a customer that uses yubikey with certificates for a RAVPN connection.  However, the setup is essentially cert auth against ASAs, then within the connection profiles I extract the UPN from presented cert that is then passed to ISE for proper authorization.

 

I read that there might be a password limitation of 32 characters and the Yubikey uses 132 characters.

-Can you share more detail on this statement?

Thanks for the reply Mike.

 

Your customer is using certificates but we need a token based solution.

 

Here is the URL for that characters limit:  https://www.reddit.com/r/networking/comments/4m7am9/yubikey_otp_implementation_with_cisco_anyconnect/? 

 

nconroy
Cisco Employee
Cisco Employee

There are some compatibility issues with certain keys: 

 

This document will give you the compatibility and is pretty good with giving you an idea of a scope of using this: 

 

We have customers who use Yubikey, most recently worked with a customer who is using Yubikey with a radius server that was not ise. Crossing multiple platforms though you will need to engage with several teams for solid documentation: 

 

Yubikey Resources: 

https://support.yubico.com/hc/en-us/articles/360016649179-Securing-Cisco-AnyConnect-with-YubiKeys

 

Cisco Radius Guide: 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/aaa_radius.html