Cisco AnyConnect is a popular RADIUS-based VPN solution used by many organizations to provide their remote workforce with access to resources hosted on their domain networks. This enables them to perform their enterprise tasks without any hiccups in productivity. These internally-hosted resources and applications often house critical, sensitive data, and hackers may try to infiltrate the solution in a bid to extort it. The Akira ransomware crisis that affected enterprises employing Cisco VPNs without MFA is one such example. While Cisco AnyConnect does maintain a robust authentication process to thwart such attempts, additional reinforcements are always beneficial.
ManageEngine ADSelfService Plus, a holistic MFA solution, is the answer to securing Cisco AnyConnect VPN logins. The solution offers advanced authentication methods, conditional access policies, and custom configuration and auditing capabilities to ensure your remote workforce enjoys protection against multiple forms of cyberattacks. ADSelfService Plus also assists organizations in staying compliant with regulations and mandates like NIST SP 800-63B, GDPR, HIPAA, NYCRR, FFIEC, and PCI DSS.
ADSelfService Plus supports the following authenticators for Cisco ASA AnyConnnect VPN MFA:
Biometrics and TOTP are possession and inherence authentication methods respectively, considered significantly more secure than knowledge-based factors. Using them to create your MFA policy can ensure protection from dictionary attacks, phishing, key-logging, and other forms of malicious attacks.
ADSelfService Plus' intuitive administrator portal prioritizes fine-grained and comprehensive VPN MFA policy configuration. Diverse MFA policies can be created and applied to Cisco AnyConnect users belonging to specific domain organizational units and groups. Admins can configure the preferred authenticators and enable them for the appropriate MFA policies. This way, users must undergo MFA flows reflective of their enterprise permissions and privileges.
The ADSelfService Plus VPN MFA process also accommodates for vendor-specific RADIUS attributes that may determine access and authorization. The solution uses an NPS extension that relays the RADIUS request from the Cisco AnyConnect VPN server to ADSelfService Plus, and the RADIUS accept status back to the VPN server upon successful MFA. This response can also include response attributes that any custom Cisco AnyConnect attribute information that is passed on during the RADIUS request. This includes information such as group membership, resource permissions, and authorization.
Explore an interactive demo of the VPN MFA process!
ADSelfService Plus' VPN MFA capability is built on the standard RADIUS protocol and supports all RADIUS-based VPN providers including:
You can enable MFA to secure non-VPN RADIUS endpoints such as Citrix Gateway, Microsoft Remote Desktop Gateway, and VMware Horizon View as well.
Enable context-based MFA with 19 different authentication factors for endpoint and application logins.
Learn moreAllow users to access all enterprise applications with a single, secure authentication flow.
Learn moreEnhance remote work with cached credential updates, secure logins, and mobile password management.
Learn moreEstablish an efficient and secure IT environment through integration with SIEM, ITSM, and IAM tools.
Learn moreDelegate profile updates and group subscriptions to end users and monitor these self-service actions with approval workflows.
Learn moreCreate a Zero Trust environment with advanced identity verification techniques and render your networks impenetrable to threats.
Learn more