Two-factor Authentication Recommendations for ASA 5510 VPN

smiths@prpa.org · ‎12-20-2012

Hello,

I'm wondering what people are using and/or recommending for two-factor authentication for VPN users on the Cisco ASA platform?

Steve

Collin Clark · ‎12-20-2012

We've always used AD authentication along with a hard token (RSA).

JY109 · ‎06-18-2013

Hi Collin,

Can you please share with your setup? I'm looking for a same solution to deploy two factor authentication to used

used AD authentication along with RSA token.

Thanks,

Jim

nowen · ‎06-20-2013

Jim:

To use any two-factor auth server with AD, you can use NPS, the MS radius plugin. This page will give you an overview, but you will want to see the MS documentation for specific details: http://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-two-factor-authentication-to-nps.

Essentially, NPS will do the authorization in AD based on the connection request policy and then to the authentication to the two-factor authentication server. Using radius also allow you to add 2FA to a bunch of other services, such as PAM for ssh if you would need that.

Mark Bronson · ‎04-10-2018

We used to use Active Directory and RSA and recently moved away from hardware tokens (cost/maintenance).

There are a few solutions out there which integrate with AD for first factor and then have an app for second factor on a smartphone. We settled on LoginTC:

https://www.logintc.com/docs/connectors/cisco-asa.html

Mohammed al Baqari · ‎04-10-2018

We use Microsoft Authenticator. Works perfectly.

srussel01 · ‎01-02-2019

Could you please provide any documentation on how to set Microsoft Authenticator as the second factor in authentication after NPS?

Durga Prasad M.S · ‎12-20-2012

You can use RSA or Vasco hardware tokens.

Rgds/DP

Sent from Cisco Technical Support Android App

nowen · ‎12-21-2012

We have a lot of customers using WiKID with Ciscos. You can get an eval download here: http://www.wikidsystems.com/downloads. We also have some registration-free white papers here: http://www.wikidsystems.com/learn-more/two-factor-authentication-white-papers, including one on evaluation two-factor authentication options. Consider the source, of course ;-).

HTH,

Nick

Nilo Noguera · ‎10-17-2013

The Two-factor authentication is a security process in which the user provides two means of identification, one of which is typically a physical token, such as a card, and the other of which is typically something memorized, such as a security code. In this context, the two factors involved are sometimes spoken of as something you have and something you know.

On the other hand we have Double Authentication, in this case username/password plus Certificate Authentication. I'm assuming that the one you will like to accomplish is this one, since you're looking for 3rd party certificate authentication.

There are third party vendors which we can use for two-factor authentication.

RSA: http://www.rsa.com/rsasecured/guides/solutions/CSCO_VPN_PB_0706.pdf

Nordic: http://www.nordicedge.se/cisco

Secure Auth:

http://www.scmagazineus.com/multi-factor-authentication-secureauth-for-ssl-v

pn/review/1146/

"niLz"

Nilo Noguera Jr.
| Specialist, Virtual Engineering - Partner Helpline Organization
together we are the human network

"niLz" Nilo Noguera Jr. | Specialist, Virtual Engineering - Partner Helpline Organization together we are the human network

Farooq Razzaque · ‎12-08-2014

Dear Nilz

I have a requirement to integrate the Cisco VPN (Cisco VPN Client for Remote Access IPSec VPNs etc.) with OTP system (One Time Password) only.

I already have OTP system deployed in my network. And i already have remote access VPN configured on the ASA , now i have a requirement to integrate users which are using Remote access VPN to integrate with currently deployed OTP system. I want to know what configuration needs to be done on the ASA.

Appreciate your response on this.

Nilo Noguera · ‎12-08-2014

We can configure the ASA  to allow SDI authentication (OTP)  in either
of the following modes: 

* Native SDI refers to the native ability in the secure gateway to
communicate directly with the SDI server for handling SDI
authentication. 

*RADIUS SDI refers to the process of the secure gateway performing SDI
authentication using a RADIUS SDI proxy, which communicates with the SDI
server.

"niLz" Nilo Noguera Jr. | Specialist, Virtual Engineering - Partner Helpline Organization together we are the human network

Farooq Razzaque · ‎12-08-2014

Dear Nilo

Thanks for the prompt response.

I have the OTP system which support HTTP protocol and I want to integrate cisco VPN client with my OTP system.

Can you please let me know what configuration is required on ASA

I really in urgency.

Farooq Razzaque · ‎12-09-2014

Dear Nilo

After the integration of Remote Access VPN client with OTP, Is it possible that VPN client will first only prompt username and password fild will be grayed out or remain blank or not not shown and when i click ok after putting username then it will prompt for OTP password.

My OTP server supports http protocol. Is it possible to integrate remote access VPN client with OTP server using http protocol

Farooq Razzaque · ‎12-10-2014

Dear Nilo

Appreciate if you could spare some time to respond on the requested query