Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

ASA and Phonefactor Authentication

 

Introduction

This document describes a scenario in which user is trying ASA to authenticate Anyconnect users with Phonefactor authentication.

Prerequisites

  • ASA 5510
  • IOS V 8.2(1)
  • ASDM

Problem

In an existing setup user wants that his/her ASA should authenticate Anyconnect users by using Phonefactor authentication.

Solution

User need to do following 2 jobs:

  1. Upgrade ASDM
  2. Configure ASA for RADIUS

Upgrading ASDM

1. Go to file management:

 

ASDM_FILE_MANAGEMENT (3).bmp

 

2. Select "Between local PC and Flash.

 

ASDM_FILE_TRANSFER (4).bmp

 

3. Select the image from your local folder and move it to "disk:0":

 

ASDM_IMAGE_TRANSFER (5).bmp

 

4. Finally, define the ASDM image:

 

ASDM_ENABLE_IMAGE (6).bmp

 

5. Quit the active ASDM instance and connect again.

ASA and Phonefactor

For this user need to configure the ASA to send a RADIUS request to PhoneFactor, user have to set the RADIUS timeout there as well so that the ASA doesn't time out waiting for a response from PhoneFactor.  So, both the ASA and the AnyConnect client need to have a enough time out for the call to take place and get a response.

By default, AnyConnect waits up to 12 seconds for an authentication from the ASA before terminating the connection attempt. user can modify this value in the XML profile as following:

Setting the authentication timeout to 90 seconds:

<ClientInitialization>

                <AuthenticationTimeout>90</AuthenticationTimeout>

</ClientInitialization>

 

Guidelines:

Blue: Current user and privilege level.

Black: Steps to open and create a new XML profile.

Green: Complete configuration path.

 

AnyConnect+profile+ASDM (1).bmp

 

If you have previously defined the group-policy then you could define it during the creation of the XML profile.Once you have the profile, you must make this change:

 

AnyConnect+profile_authentication+timeout_+ASDM (2).bmp

 

User may also include / edit other features to this XML profile, In the image only the authentication timeout value is edited.

Source Discussion

This document was generated from the following discussion: ASA and Phonefactor

Comments

I've been trying to do this for a very long time and it doesn't work for us unfortunately. Not sure if I'm doing something wrong but even Cisco TAC gave up on this before. They said that you should be successfully authenticated before the XML profile can be downloaded to your device but how can you get authenticated if the Anyconnect software will keep on looping on the login prompt?

Silver

Hi John,

 

Can you pls provide some details regarding the scenarion so that I can be recreated at my end and try to find the solution for your issue.

You can send the info through Private Message to me.

 

 

Regards,

Anim Saxena

Community Manager (Security)

I cannot find a way here to send you a private message.

Silver

Hi John i am attaching a screenshot from which you can see the option of messages in my profile. 

 

Regards,

Anim Saxena

Community Manager (Security)

New Member

We currently having issues with Phonefactor. When you use the SSL VPN, the phone rings, you authenticate but it still fails getting this message Primary authentication failed. Access Denied" and then the phone rings two more times after the failure.

If we use Anyconnect client, we get the phone call, authenticate but the login still fails. But we don't receive anymore calls after that first one. Weird behavior. I currently have a ticket open with the TAC but not get much help with this.

New Member

We finally got this going. It seems what worked for us was installing to the latest software for both the Azure Multi-Factor Authentication Server (v6.3.1) and on the ASA (we have a 5520, v9.1.6(8). Phonefactor now works on both SSL VPN and Anyconnect clients.

New Member

Export the XML file created above to your computer. Place the file where all the XML profiles are contained. The default folder should be something similar to C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\

The next time you attempt to connect, Anyconnect will read the XML file and know to wait 90 seconds before closing the login attempt.

1693
Views
5
Helpful
7
Comments