Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3592
Views
5
Helpful
4
Replies

soft token integration with AnyConnect

weichenberger1
Level 1
Level 1

‎01-30-2015 06:54 AM - edited ‎02-21-2020 08:03 PM

Greetings All,

 

I have recently configured AnyConnect on an ASA 5525 for our corporate remote access solution. My manager, though, wants me to integrate some sort of soft token with AnyConnect and I have no idea where to start. Can someone point me in the right direction towards a solution? What are my choices of soft token solutions? Do I need to pay for them? Is there a Cisco white paper or something of the sort that might be useful? 

 

Thank You

Labels:
0 Helpful
4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-30-2015 07:27 AM

What you're asking about is commonly referred to as 2-factor authentication. It's commonly implemented with Cisco remote access VPNs and there are several ways you can do it depending on hos you're currently authenticating (local usernames, Active Directory, RADIUS servers etc.) and whether or not you use a PKI for certificate services.

I have had good experience with a 3rd party company Duo Security. They have a pretty easy to setup system and it's subscription-based with a free trial period. Their website has a step by step guide on setting it up with an ASA for both the modern AnyConnect SSL VPN as well as the older Cisco VPN client with IKEv1 IPsec.

0 Helpful

weichenberger1
Level 1
Level 1
In response to Marvin Rhoads

‎01-30-2015 09:40 AM

Our current remote access solution is utilizing SecureAuth and LDAP. Now we are using a seld-signed cert but still need to add a soft token. I am a complete newbie to the ASA world, so please forgive the stupid questions. Is Duo Security expensive?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to weichenberger1

‎01-30-2015 09:47 AM

You say "soft token".

Id say that's a form factor for the two factor vendor - some of them offer their product in a hardware fob (little device with an LCD screen that updates a PIN every minute or so) and a software solution (i.e. and app on your smart phone).

Is that what you mean? If so, whatever vendor you are using has an implementation guide for that and using the hardware or software token / fob is all the same to the ASA.

rprado@3c.com
Level 1
Level 1
In response to Marvin Rhoads

‎02-01-2018 05:12 PM

Hello Marvin,

I am in the process to configure anyconnect v.4.4 and I am running into the following issue I hope you can please help me with. I am testing anyconnect client on IOS and I have a Windows 2008 Server Manager where RADIUS authentication is done. When I attempt to connect the client, the AUTH Radius Server reply with "RADIUS_ACCESS_ACCEPT: normal termination" but the anyconnect /opt/var/system.log shows that the login failed due to:

 

Feb  1 20:09:26 admins-MBP-3.attlocal.net Cisco AnyConnect Secure Mobility Client[7941]: Function: getPreference File: ../../vpn/Api/PreferenceInfoBase.cpp Line: 269 Invoked Function: getPreference Return Code: 0 (0x00000000) Description: Invalid preference 45

Feb  1 20:09:26 admins-MBP-3.attlocal.net Cisco AnyConnect Secure Mobility Client[7941]: Function: isSWEnabled File: ../../vpn/Api/SDIMgr.cpp Line: 1027 Invoked Function: PreferenceMgr::getPreference Return Code: -30343157 (0xFE31000B) Description: PREFERENCEMGR_ERROR_PREFERENCE_NOT_FOUND SafeWordSofTokenIntegration

Feb  1 20:09:26 admins-MBP-3.attlocal.net Cisco AnyConnect Secure Mobility Client[7941]: Function: ProcessPromptData File: ../../vpn/Api/SDIMgr.cpp Line: 336 Authentication is not token based (OTP).

Feb  1 20:09:26 admins-MBP-3.attlocal.net Cisco AnyConnect Secure Mobility Client[7941]: Unknown node.  Expected 'title' or 'layout' but got 'closebutton'.

Feb  1 20:09:34 admins-MBP-3.attlocal.net Cisco AnyConnect Secure Mobility Client[7941]: Function: userResponse File: ../../vpn/Api/ConnectMgr.cpp Line: 1400 Processing user response.

Feb  1 20:09:34 admins-MBP-3.attlocal.net Cisco AnyConnect Secure Mobility Client[7941]: The following error message was received from the secure gateway: Login failed.

Feb  1 20:09:34 admins-MBP-3.attlocal.net Cisco AnyConnect Secure Mobility Client[7941]: Function: getPreference File: ../../vpn/Api/PreferenceInfoBase.cpp Line: 269 Invoked Function: getPreference Return Code: 0 (0x00000000) Description: Invalid preference 45

Feb  1 20:09:34 admins-MBP-3.attlocal.net Cisco AnyConnect Secure Mobility Client[7941]: Function: isSWEnabled File: ../../vpn/Api/SDIMgr.cpp Line: 1027 Invoked Function: PreferenceMgr::getPreference Return Code: -30343157 (0xFE31000B) Description: PREFERENCEMGR_ERROR_PREFERENCE_NOT_FOUND SafeWordSofTokenIntegration

Feb  1 20:09:34 admins-MBP-3.attlocal.net Cisco AnyConnect Secure Mobility Client[7941]: Function: ProcessPromptData File: ../../vpn/Api/SDIMgr.cpp Line: 336 Authentication is not token based (OTP).

Feb  1 20:09:34 admins-MBP-3.attlocal.net Cisco AnyConnect Secure Mobility Client[7941]: Message type prompt sent to the user: Login failed.

Feb  1 20:09:34 admins-MBP-3.attlocal.net Cisco AnyConnect Secure Mobility Client[7941]: Unknown node.  Expected 'title' or 'layout' but got 'closebutton'.

 

Could you please help me understand the cause of this issue?

 

Thanks a lot,

0 Helpful
Customers Also Viewed These Support Documents