Multi-Factor Authentication (MFA) is an extra layer of security used when logging into websites or apps. Individuals are authenticated through more than one required security and validation procedure that only you know or have access to.
RADIUS is a protocol commonly used to authenticate, authorize, and account for user access and actions. Acceptto offers a simple solution for adding MFA to Cisco AnyConnect VPN via its Radius agent. This step-by-step integration instruction illustrates how to configure both Cisco AnyConnect VPN on Cisco ASA device and an Acceptto MFA solution.
- A previously set up Cisco VPN ASA with a working configuration.
- An Acceptto RADIUS Agent that is configured and connected to your user directory (for example Microsoft™ ‘Active Directory’) (See this page for the instructions).
- A user with administrative privileges for the Cisco ASA device.
To integrate Acceptto with your Cisco ASA, you will need to install an Acceptto RADIUS Agent on a machine within your network. This server will receive RADIUS requests from your Cisco ASA, check with the LDAP server to perform primary authentication, and then contact Acceptto cloud service for secondary authentication.
- Login to the Acceptto RADIUS Agent with an administrative user and open the radius-agent-config.env file with an editor. It is located in the installed directory of RADIUS Agent. RADIUS clients are configured in this setting.
Go to the bottom of radius-agent-config.env file and change the ARA_CLIENTS attribute as follows. The values should be separated by semicolon (;).
ARA_CLIENTS = An optional name for your Cisco ASA; Internal IP address of your ASA; a shared secret
An example configuration might look like this:
ARA_CLIENTS = Cisco;10.1.0.160/32;testing12345
Save file and run the following command for set changes:
docker-compose down && docker-compose up -d
Login to the Cisco ASA administration interface with an administrative user.
Go to the AAA Server Groups.
Click Add to add a server group.
Setting Value AAA Server Group Acceptto2 Protocol RADIUS
Click on the server group (e.g. Acceptto2) and use the following settings for Add AAA Server dialog.
Setting Value Interface Name Management Server Name or IP Address IP Address of Your Acceptto RADIUS Agent Time 90 Seconds (recommended) Server Authentication Port 1812 Server Accounting Port 1813 Retry Interval 10 Seconds Server Secret Key Shared Secret Set in the Acceptto RADIUS Agent Microsoft CHAPv2 Capable Checked
Click OK to apply the configuration.
To verify connectivity to the Acceptto RADIUS Agent, Select the AAA server that was created before and click the Test button.
On the "Test AAA Server" dialog, select Authentication.
Enter the user population that is going to be authenticated via RADIUS.
A message will be sent to the Acceptto It’sMe mobile app of the user for approval. Then, a pop-up window informs you if the test was successful or failed.
- Go to the Network (Client) Access section and select AnyConnect Connection Profiles.
- Click on the connection profile (e.g. TunnelGroup2) that you want to add MFA authentication and click Edit.
- Click on Basic and In the Authentication section select Acceptto2 from the AAA Server Group list.
- Untick the Use LOCAL if Server Group fails.
Click OK then click Apply.
Click Save to write all changes to the ASA device memory.
Note: Set the following setting If you want to give the user enough time to approve push notification:
- In the Configuration section select Remote Access VPN.
- Click on Network (Client) Access and go to AnyConnect Client Profile and click on Edit.
- In the Preferences (Part2) section, find Authentication Timeout (seconds) and set 60.
- Click OK and after that click Apply to activate settings.
Enter your VPN Server address on Cisco AnyConnect Client and Click Connect.
Enter your username and password.
You will receive a push notification on your It’sMe mobile application to authorize access to your VPN.
If you require assistance, please email us at email@example.com
Want to learn more about our MFA solutions? Contact our Professional Services for a Demo today.
All product names, trademarks, and registered trademarks are the property of their respective owners.
All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the Acceptto Corporation.
CISCO is either registered trademarks or trademarks of CISCO Inc. and/or one or more of its subsidiaries in the United States and/or other countries.
Microsoft and 'Active Directory' are either registered trademarks or trademarks of Microsoft and/or one or more of its subsidiaries in the United States and/or other countries.