Showing results for 
Search instead for 
Did you mean: 

Two-factor Authentication Recommendations for ASA 5510 VPN


I'm wondering what people are using and/or recommending for two-factor authentication for VPN users on the Cisco ASA platform?


Collin Clark

We've always used AD authentication along with a hard token (RSA).

Hi Collin,

Can you please share with your setup? I'm looking for a same solution to deploy two factor authentication to used

used AD authentication along with RSA token.




To use any two-factor auth server with AD, you can use NPS, the MS radius plugin.  This page will give you an overview, but you will want to see the MS documentation for specific details:

Essentially, NPS will do the authorization in AD based on the connection request policy and then to the authentication to the two-factor authentication server.  Using radius also allow you to add 2FA to a bunch of other services, such as PAM for ssh if you would need that.

We used to use Active Directory and RSA and recently moved away from hardware tokens (cost/maintenance).


There are a few solutions out there which integrate with AD for first factor and then have an app for second factor on a smartphone. We settled on LoginTC:

We use Microsoft Authenticator. Works perfectly.

Could you please provide any documentation on how to set Microsoft Authenticator as the second factor in authentication after NPS?

Durga Prasad M.S

You can use RSA or Vasco hardware tokens.


Sent from Cisco Technical Support Android App


We have a lot of customers using WiKID with Ciscos.  You can get an eval download here:  We also have some registration-free white papers here:, including one on evaluation two-factor authentication options.  Consider the source, of course ;-).



Nilo Noguera

The Two-factor authentication is a security process in which the user provides two means of identification, one of which is typically a physical token, such as a card, and the other of which is typically something memorized, such as a security code. In this context, the two factors involved are sometimes spoken of as something you have and something you know.

On the other hand we have Double Authentication, in this case username/password plus Certificate Authentication. I'm assuming that the one you will like to accomplish is this one, since you're looking for 3rd party certificate authentication.

There are third party vendors which we can use for two-factor authentication.



Secure Auth:



Nilo Noguera Jr. 
| Specialist, Virtual Engineering - Partner Helpline Organization 
together we are the human network

"niLz" Nilo Noguera Jr. | Specialist, Virtual Engineering - Partner Helpline Organization together we are the human network

Dear Nilz

I have a requirement to integrate the Cisco VPN (Cisco VPN Client for Remote Access IPSec VPNs etc.) with OTP system (One Time Password) only.

I already have OTP system deployed in my network. And i already have remote access VPN configured on the ASA , now i have a requirement to integrate users which are using Remote access VPN to integrate with currently deployed OTP system. I want to know what configuration needs to be done on the ASA.

Appreciate your response on this.

We can configure the ASA  to allow SDI authentication (OTP)  in either
of the following modes: 

* Native SDI refers to the native ability in the secure gateway to
communicate directly with the SDI server for handling SDI

*RADIUS SDI refers to the process of the secure gateway performing SDI
authentication using a RADIUS SDI proxy, which communicates with the SDI
"niLz" Nilo Noguera Jr. | Specialist, Virtual Engineering - Partner Helpline Organization together we are the human network

Dear Nilo

Thanks for the prompt response.

I have the OTP system which support HTTP protocol and I want to integrate cisco VPN client with my OTP system.

Can you please let me know what configuration is required on ASA

I really in urgency.

Dear Nilo

After the integration of Remote Access VPN client with OTP, Is it possible that VPN client will first only prompt username and password fild will be grayed out or remain blank or not not shown and when i click ok after putting username then it will prompt for OTP password.

My OTP server supports http protocol. Is it possible to integrate remote access VPN client with OTP server using http protocol

Dear Nilo

Appreciate if you could spare some time to respond on the requested query