cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
73750
Views
22
Helpful
23
Replies

Two-factor Authentication Recommendations for ASA 5510 VPN

smiths@prpa.org
Level 1
Level 1

Hello,

I'm wondering what people are using and/or recommending for two-factor authentication for VPN users on the Cisco ASA platform?

Steve

23 Replies 23

Collin Clark
VIP Alumni
VIP Alumni

We've always used AD authentication along with a hard token (RSA).

Hi Collin,

Can you please share with your setup? I'm looking for a same solution to deploy two factor authentication to used

used AD authentication along with RSA token.

Thanks,

Jim

Jim:

To use any two-factor auth server with AD, you can use NPS, the MS radius plugin.  This page will give you an overview, but you will want to see the MS documentation for specific details: http://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-add-two-factor-authentication-to-nps

Essentially, NPS will do the authorization in AD based on the connection request policy and then to the authentication to the two-factor authentication server.  Using radius also allow you to add 2FA to a bunch of other services, such as PAM for ssh if you would need that.

We used to use Active Directory and RSA and recently moved away from hardware tokens (cost/maintenance).

 

There are a few solutions out there which integrate with AD for first factor and then have an app for second factor on a smartphone. We settled on LoginTC:

 

https://www.logintc.com/docs/connectors/cisco-asa.html

We use Microsoft Authenticator. Works perfectly.

Could you please provide any documentation on how to set Microsoft Authenticator as the second factor in authentication after NPS?

You can use RSA or Vasco hardware tokens.

Rgds/DP

Sent from Cisco Technical Support Android App

nowen
Level 1
Level 1

We have a lot of customers using WiKID with Ciscos.  You can get an eval download here: http://www.wikidsystems.com/downloads.  We also have some registration-free white papers here: http://www.wikidsystems.com/learn-more/two-factor-authentication-white-papers, including one on evaluation two-factor authentication options.  Consider the source, of course ;-).

HTH,

Nick    

Nilo Noguera
Level 5
Level 5

The Two-factor authentication is a security process in which the user provides two means of identification, one of which is typically a physical token, such as a card, and the other of which is typically something memorized, such as a security code. In this context, the two factors involved are sometimes spoken of as something you have and something you know.

On the other hand we have Double Authentication, in this case username/password plus Certificate Authentication. I'm assuming that the one you will like to accomplish is this one, since you're looking for 3rd party certificate authentication.

There are third party vendors which we can use for two-factor authentication.

RSA: http://www.rsa.com/rsasecured/guides/solutions/CSCO_VPN_PB_0706.pdf

Nordic: http://www.nordicedge.se/cisco

Secure Auth:

http://www.scmagazineus.com/multi-factor-authentication-secureauth-for-ssl-v

pn/review/1146/

         "niLz"

Nilo Noguera Jr. 
| Specialist, Virtual Engineering - Partner Helpline Organization 
together we are the human network

"niLz" Nilo Noguera Jr. | Specialist, Virtual Engineering - Partner Helpline Organization together we are the human network

Dear Nilz

I have a requirement to integrate the Cisco VPN (Cisco VPN Client for Remote Access IPSec VPNs etc.) with OTP system (One Time Password) only.

I already have OTP system deployed in my network. And i already have remote access VPN configured on the ASA , now i have a requirement to integrate users which are using Remote access VPN to integrate with currently deployed OTP system. I want to know what configuration needs to be done on the ASA.

Appreciate your response on this.

We can configure the ASA  to allow SDI authentication (OTP)  in either
of the following modes: 

* Native SDI refers to the native ability in the secure gateway to
communicate directly with the SDI server for handling SDI
authentication. 

*RADIUS SDI refers to the process of the secure gateway performing SDI
authentication using a RADIUS SDI proxy, which communicates with the SDI
server. 
"niLz" Nilo Noguera Jr. | Specialist, Virtual Engineering - Partner Helpline Organization together we are the human network

Dear Nilo

Thanks for the prompt response.

I have the OTP system which support HTTP protocol and I want to integrate cisco VPN client with my OTP system.

Can you please let me know what configuration is required on ASA

I really in urgency.

Dear Nilo

After the integration of Remote Access VPN client with OTP, Is it possible that VPN client will first only prompt username and password fild will be grayed out or remain blank or not not shown and when i click ok after putting username then it will prompt for OTP password.

My OTP server supports http protocol. Is it possible to integrate remote access VPN client with OTP server using http protocol

Dear Nilo

Appreciate if you could spare some time to respond on the requested query

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: