Skip to main content

We have a lot of tutorials on Cisco ASAs. Most use the ASDM. This shows how easy it is to add two-factor authentication to an ASA using the CLI. This configuration should work for both AnyConnect and the Clientless SSL VPN.

Adding two-factor authentication to a Cisco ASA 5500 VPN is quite simple.  We recommend that you use NPS or another RADIUS server so that you can continue to manage your users in Active Directory.  (See this document for an example of a working NPS configuration.)  In that case, you would use NPS for the remote radius server instead of WiKID.

First create an IP pool for the users:

ip local pool test mask

Next, create a radius server group.  We call it WiKID:

aaa-server WiKID protocol radius

Then, specify the IP address of the server and the shared secret (key).  The shared secret must match on NPS or WiKID.  You must set the ports too.

aaa-server WiKID (inside) host
key *****
authentication-port 1812
accounting-port 1812

Then create a tunnel group to use the Radius server:

tunnel-group TEST type remote-access
tunnel-group TEST general-attributes
 address-pool test
 authentication-server-group WiKID
tunnel-group TEST webvpn-attributes
 group-alias TEST enable

 According to the Cisco documentation, this command will enable ChapV2:

tunnel-group TEST general-attributes
address-pool test
authentication-server-group WiKID

 That should do it!




Copyright © WiKID Systems, Inc. 2017 | Two-factor Authentication