Skip to main content

Cisco VPN AnyConnect

Introduction#

Multi-Factor Authentication (MFA) is an extra layer of security used when logging into websites or apps. Individuals are authenticated through more than one required security and validation procedure that only you know or have access to.

RADIUS is a protocol commonly used to authenticate, authorize, and account for user access and actions. Acceptto offers a simple solution for adding MFA to Cisco AnyConnect VPN via its Radius agent. This step-by-step integration instruction illustrates how to configure both Cisco AnyConnect VPN on Cisco ASA device and an Acceptto MFA solution.

Pre-Requisites#

  1. A previously set up Cisco VPN ASA with a working configuration.
  2. An Acceptto RADIUS Agent that is configured and connected to your user directory (for example Microsoft™ ‘Active Directory’) (See this page for the instructions).
  3. A user with administrative privileges for the Cisco ASA device.

Configure the Acceptto RADIUS Agent#

To integrate Acceptto with your Cisco ASA, you will need to install an Acceptto RADIUS Agent on a machine within your network. This server will receive RADIUS requests from your Cisco ASA, check with the LDAP server to perform primary authentication, and then contact Acceptto cloud service for secondary authentication.

  1. Login to the Acceptto RADIUS Agent with an administrative user and open the radius-agent-config.env file with an editor. It is located in the installed directory of RADIUS Agent. RADIUS clients are configured in this setting.

Acceptto RADIUS login

  1. Go to the bottom of radius-agent-config.env file and change the ARA_CLIENTS attribute as follows. The values should be separated by semicolon (;).

    ARA_CLIENTS = An optional name for your Cisco ASA; Internal IP address of your ASA; a shared secret

    An example configuration might look like this:

    ARA_CLIENTS = Cisco;10.1.0.160/32;testing12345

Acceptto RADIUS config

  1. Save file and run the following command for set changes:

    docker-compose down && docker-compose up -d

Cisco ASA Configuration for AnyConnect VPN and RADIUS#

  1. Login to the Cisco ASA administration interface with an administrative user.

  2. Go to the AAA Server Groups.

  3. Click Add to add a server group.

    SettingValue
    AAA Server GroupAcceptto2
    ProtocolRADIUS

Add AAA Server Group

Configure Server Group#

  1. Click on the server group (e.g. Acceptto2) and use the following settings for Add AAA Server dialog.

    SettingValue
    Interface NameManagement
    Server Name or IP AddressIP Address of Your Acceptto RADIUS Agent
    Time90 Seconds (recommended)
    Server Authentication Port1812
    Server Accounting Port1813
    Retry Interval10 Seconds
    Server Secret KeyShared Secret Set in the Acceptto RADIUS Agent
    Microsoft CHAPv2 CapableChecked

AAA Server Details

  1. Click OK to apply the configuration.

  2. To verify connectivity to the Acceptto RADIUS Agent, Select the AAA server that was created before and click the Test button.

  3. On the "Test AAA Server" dialog, select Authentication.

  4. Enter the user population that is going to be authenticated via RADIUS.

    Test server group

  5. A message will be sent to the Acceptto It’sMe mobile app of the user for approval. Then, a pop-up window informs you if the test was successful or failed.

Test result

Set the SSL VPN Authentication Method to Acceptto RADIUS#

  1. Go to the Network (Client) Access section and select AnyConnect Connection Profiles.
  2. Click on the connection profile (e.g. TunnelGroup2) that you want to add MFA authentication and click Edit.
  3. Click on Basic and In the Authentication section select Acceptto2 from the AAA Server Group list.
  4. Untick the Use LOCAL if Server Group fails.

Add clientless ssl vpn

  1. Click OK then click Apply.

  2. Click Save to write all changes to the ASA device memory.

    Note: Set the following setting If you want to give the user enough time to approve push notification:

    • In the Configuration section select Remote Access VPN.
    • Click on Network (Client) Access and go to AnyConnect Client Profile and click on Edit.
    • In the Preferences (Part2) section, find Authentication Timeout (seconds) and set 60.
    • Click OK and after that click Apply to activate settings.

    SSL VPN

Test Your Configuration#

  1. Enter your VPN Server address on Cisco AnyConnect Client and Click Connect.

  2. Enter your username and password.

    Login to Anyconnect VPN

  3. You will receive a push notification on your It’sMe mobile application to authorize access to your VPN.

    Acceptto Push

Support#

If you require assistance, please email us at support@acceptto.com

Sales#

Want to learn more about our MFA solutions? Contact our Professional Services for a Demo today.

Disclaimer#

All product names, trademarks, and registered trademarks are the property of their respective owners.

All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the Acceptto Corporation.

CISCO is either registered trademarks or trademarks of CISCO Inc. and/or one or more of its subsidiaries in the United States and/or other countries.

Microsoft and 'Active Directory' are either registered trademarks or trademarks of Microsoft and/or one or more of its subsidiaries in the United States and/or other countries.