Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Dual Factor Authentication for AnyConnect Clients


I am looking to replace my aging RSA devices with something, and I want to know if Cisco sells something that integrates easier that RSA Auth Manager.

Here is my setup:

I have an ASA in the East coast office running 8.3(2) and hundreds of VPN clients with about 7 vpn groups. 3 of the vpn groups use token based access. No user can logon using another vpn group. I have another ASA on the West coast running 8.0.5 for DR.

I want to know if Cisco sells something that intergrates with the ASAs to do dual factor authentication and will authorize based on AD groups or some other attribute. The same token should work on the ASA on the West Coast if they had to logon there.




Re: Dual Factor Authentication for AnyConnect Clients

ASA can talked to Radius, TACACS and LDAP for user authentication.

If you RSA server don't support Radius, you can use Cisco ACS box for the authentication and RSA is configured in ACS as an external user database. So the authentication request will be sent to ACS and then ACS will check RSA server to authenticate user.

AD group mapping is available as well. On ASA, you just need to map the attrible returned by AD to IETF-Radius-Class. Then ASA will use it to map the user to the correct group-policy.

New Member

Re: Dual Factor Authentication for AnyConnect Clients

So I am stuck with RSA. Fine. I am about to buy 21k worth of hardware and I cant get anyone at RSA to tell me if what I want to do is possible, they keep saying its a ASA problem.

What I want to do is insure that a user can only enter in through the VPN group where she is assigned. RSA keeps telling me all thier box does is give a thumbs up or down. So if I use one RSA box its gonna give a thumbs up to anyone who has the token passcode correct no matter what groupo they come in on.


Super Bronze

Re: Dual Factor Authentication for AnyConnect Clients

Unfortunately, Cisco does not have any "token" product for authentication. We are relying on third party token vendor like RSA to perform 2 factor authentication unfortunately.

New Member

Re: Dual Factor Authentication for AnyConnect Clients

If you are looking for alternatives to RSA, allow me to raise the attention to SMS authentication from This is a new two-factor authentication solution via SMS text messaging that works with the Cisco AnyConnect and SSL VPN systems/client s.. you can see a live demo of it on the website under products/howitworks. Lars Nielsen