cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6268
Views
14
Helpful
9
Replies

Phonefactor two authentication with ASA

rmrahman0302
Level 1
Level 1

Hi,

My client is looking for phonefactor two way authentication integration with Cisco ASA, Anybody has done this integration with ASA ?

Thanks.

9 Replies 9

Jennifer Halim
Cisco Employee
Cisco Employee

Unfortunately ASA does not support "native" integration with phone factor 2 factor authentication.

Please kindly find the following on what authentication is supported on ASA for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/access_aaa.html

sl_bishop
Level 1
Level 1

PhoneFactor absolutely works with Cisco ASA and is a very common implementation for them.  First, you install the PhoneFactor Agent on a Windows server that is joined to your domain behind your firewall.  Once installed and activated, you configure a RADIUS client within the Agent with the Cisco ASA's IP address.  You also specify the shared secret that will be used for your RADIUS target in the ASA.  You then go into the Cisco ASA and configure the RADIUS authentication target which points to the PhoneFactor Agent.  You specify the PhoneFactor Agent's IP address and the same shared secret configured in the PhoneFactor Agent.  You must also set the RADIUS timeout to at least 30 seconds (45 recommended) so that you have enough time to complete the two-factor authentication before the ASA times out.

If you are pulling group membership from Active Directory or using an LDAP target for your user store, you could use LDAP authentication instead of RADIUS authentication.  If you contact PhoneFactor (1.877.668.6536), they can provide documentation and/or assistance on how to setup the PhoneFactor Agent to receive the RADIUS or LDAP authentication requests from the ASA.

Great, thanks Shawn for sharing. Great explaination too..

Hi Shawn,

Thanks for your reply. So, for my clarification, I have to setup the RADIUS server host on ASA pointing to the phonefactor agent address and the secret key.

aaa-server phonefactor host 1.1.1.1 (IP address of the Phonefactor agent)

key cisco

authentication-port 1812
accounting-port 1813

Thanks.

That is correct.  The ASA will then send its RADIUS authentication request to the PhoneFactor Agent.  If PhoneFactor has been configured to receive the RADIUS request from that client, it can then validate the username and password provided by the ASA against Active Directory, another LDAP target or another RADIUS server.  If those first-factor credentials are correct, it will then perform the second-factor authentication by calling the phone of the user who is logging in.

Hi Shawn,

We did configure the ASA with  the folowing config:

aaa-server RadiusServers (inside) host 172.16.1.100 (Phonefactor agent address)

timeout 60

key cisco

authentication-port 1812

accounting-port 1813

and on Phone factor aggent we did configure ASA's inside interface address and the key cisco. The problem is the phone factor agent is not getting any request from ASA. Anything I need to check on the ASA or at the agent?

Thanks.

If there are any firewalls in between the ASA and the PhoneFactor Agent, the RADIUS ports (1812, 1813) must be open in them.  To determine whether the PhoneFactor Agent is receiving the RADIUS request or not, you should check the PhoneFactorRadiusSvc.log in the C:\Program Files\PhoneFactor\Logs folder (assuming you installed in the default location and have enabled RADIUS Authentication in the Agent).  If the Agent is receiving the RADIUS request, but authentication is failing, please contact your PhoneFactor sale representative who can have a sales engineer take a look and help you determine what is not configured correctly.

Hi Shawn,

There is no oher firewall in between and we have checked the log file. It shows that no request is coming from the ASA rather than it shows the request is coming from another windows server (which is not configured to send any request to phone factor) . Any idea?

Are you sure of your IP addresses?  Do the RADIUS requests you see in the PhoneFactor logs correspond with the times you have tried to authenticate through the ASA?  Do the ASA logs give you and indication of what happens when you try to login?  If the IP addresses are correct, the ASA should be sending its RADIUS request to PhoneFactor, and PhoneFactor should be listening for the RADIUS request from that client.  Just for kicks, try adding the IP address that you are seeing in the PhoneFactor RADIUS log as a RADIUS client in the agent, try your authentication and see if it goes through.  If you are still stuck, call PhoneFactor and ask them to have a Sales Engineer or Support Engineer walk through your configuration with you via WebEx.  It sounds like something simple isn't configured quite right.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: