05-06-2019 07:24 AM - edited 02-21-2020 09:38 PM
All:
I've got a customer that has a business requirement for FIDO2 (WebauthN)authentication for their VPN clients. They plan on using Yubikey or similar token hardware for end users to authenticate.
From what I've seen so far, this isn't supported in Radius yet - are there any plans to do so in particular with Anyconnect?
Solved! Go to Solution.
05-06-2019 08:14 AM
This is not supported on AnyConnect as of today. I was able to get yubikey OTP to work with AnyConnect in combination with Duo. This is a complicated manual setup though and I would not recommend it for an admin with a lot of hardware tokens to manage.
The enhancement bug raised for U2F integration on AnyConnect is here:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvo19158
I would reach out to your Cisco Account Manager to see if there any traction on this request.
05-06-2019 08:14 AM
This is not supported on AnyConnect as of today. I was able to get yubikey OTP to work with AnyConnect in combination with Duo. This is a complicated manual setup though and I would not recommend it for an admin with a lot of hardware tokens to manage.
The enhancement bug raised for U2F integration on AnyConnect is here:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvo19158
I would reach out to your Cisco Account Manager to see if there any traction on this request.
05-07-2019 08:30 AM
Thanks for the quick reply! Very helpful.
After reading your reply I subsequently wondered if there'd be better luck for this if we used the thin client rather than the full Anyconnect client - perhaps that would add the client-side support needed for FIDO2 authentication? I worry that opens a can of worms over control of the browsers the end-users have and whether they have support for FIDO2 as well though.
05-07-2019 11:41 AM
Chris,
I think this would require some custom javascript to be installed on the ASA to let the U2F registration/verification process to complete (hence validating the user) and an validation service like Duo/RSA that understands the hardware tokens. Duo had done something similar for their mobile token based service for clientless SSLVPN.
Unfortunately, I do not think there is any way to get U2F to work natively on the ASA.
10-07-2020 11:22 AM
Hi all, I think full FIDO2 functionality can be achieved by leveraging the SAML capabilities already available in ASA and AnyConnect 4.6 and up. The problem as I see it is that currently AnyConnect is using an embedded browser that does not support FIDO2 Webauthn. Upgrading this component will fix this problem. It will be great to get an update on what are Cisco's plans to do this. We all have customers that are already using AzureAD, Duo, Okta, Ping and other FIDO2 and SAML capable Identity Providers, so this should be a very feasible integration. The embedded browser approach should take us there pretty quickly. Someone at Cisco can provide an update here con your plans for this?
10-09-2020 06:43 AM
Cisco only sporadically monitors these forums.
If you want the best outcome for your suggestion you should raise it through your Cisco Account Manager. Ask them to submit your request as a "Firestarter" request.
03-18-2022 03:13 AM
Hello, now we have the year 2022. We have also the problem that the internal browser of anyconnect still does not support Webauth/FIDO2. We found some hints to enable the system browser, but in the current ASA config we do not find this feature.
Any hint how we get FIDo2 running with ADA, Anyconnect and Azure?
03-22-2022 07:20 AM
Hello,
The external browser should work with current ASA software.
Release Notes for the Cisco ASA Series, 9.17(x) - Cisco
VPN Features | |
Local tunnel id support for IKEv2 | Support has been added for local Tunnel id configuration for IKEv2. New/Modified commands: set ikev2 local-identity |
Support for SAML Attributes with DAP constraint | Support has been added for SAML assertion attributes which can be used to make DAP policy selections. It also introduces the ability for a group-policy to be specified by the cisco_group_policy attribute. |
Multiple SAML trustpoints in IDP configuration | This feature supports adding multiple IDP trustpoints per SAML IDP configuration for applications that support multiple applications for the same Entity ID. New/Modified commands: saml idp-trustpoint <trustpoint-name> |
AnyConnect VPN SAML External Browser | You can now configure AnyConnect VPN SAML External Browser to enable additional authentication choices, such as passwordless authentication, WebAuthN, FIDO, SSO, U2F, and an improved SAML experience due to the persistence of cookies. When you use SAML as the primary authentication method for a remote access VPN connection profile, you can elect to have the AnyConnect client use the client’s local browser instead of the AnyConnect embedded browser to perform the web authentication. This option enables single sign-on (SSO) between your VPN authentication and other corporate logins. Also choose this option if you want to support web authentication methods, such as biometric authentication and Yubikeys, that cannot be performed in the embedded browser. New/Modified commands: external-browser |
VPN Load balancing with SAML | ASA now supports VPN load balancing with SAML authentication. |
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide