12-03-2021 09:26 AM
Hi Everyone,
Does anyone know if we can configure Cisco ASA Remote Access VPN using ISE as a Radius server with Yubikey as a two factor authentication? I read that there might be a password limitation of 32 characters and the Yubikey uses 132 characters.
If so, do you have any configuration example?
12-03-2021 11:45 AM - edited 12-03-2021 11:46 AM
Does anyone know if we can configure Cisco ASA Remote Access VPN using ISE as a Radius server with Yubikey as a two factor authentication?
-I have a customer that uses yubikey with certificates for a RAVPN connection. However, the setup is essentially cert auth against ASAs, then within the connection profiles I extract the UPN from presented cert that is then passed to ISE for proper authorization.
I read that there might be a password limitation of 32 characters and the Yubikey uses 132 characters.
-Can you share more detail on this statement?
12-03-2021 12:49 PM
Thanks for the reply Mike.
Your customer is using certificates but we need a token based solution.
Here is the URL for that characters limit: https://www.reddit.com/r/networking/comments/4m7am9/yubikey_otp_implementation_with_cisco_anyconnect/?
12-03-2021 12:51 PM
There are some compatibility issues with certain keys:
This document will give you the compatibility and is pretty good with giving you an idea of a scope of using this:
We have customers who use Yubikey, most recently worked with a customer who is using Yubikey with a radius server that was not ise. Crossing multiple platforms though you will need to engage with several teams for solid documentation:
Yubikey Resources:
https://support.yubico.com/hc/en-us/articles/360016649179-Securing-Cisco-AnyConnect-with-YubiKeys
Cisco Radius Guide:
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: