How to configure MFA for Cisco ASA SSL VPN using RADIUS

In this article:

• Objective
• Prerequisites
• Steps to configure MFA for Cisco SSL VPN
• Related topics and articles

Objective

This article outlines the steps to configure two-factor authentication (2FA) for your Cisco Adaptive Security Appliance (ASA) SSL VPN using RADIUS. By integrating ManageEngine ADSelfService Plus' MFA for endpoints with Cisco ASA, you can add an extra layer of security to your VPN infrastructure. Enabling 2FA for CISCO SSL VPN helps prevent unauthorized access, enforces strong user verification, and improves compliance with security standards.

ADSelfService Plus supports a wide range of secure authentication methods for 2FA for CISCO ASA SSL VPN, including:

• Push notification authentication
• Fingerprint/Face ID authentication
• ADSelfService Plus TOTP authentication
• Google Authenticator
• Microsoft Authenticator
• Yubico OTP (hardware key authentication)

Prerequisites

Before you begin, ensure you meet the following requirements:

Endpoint MFA add-on license: Your ADSelfService Plus license must include Endpoint MFA. You can purchase this add-on from the store.

HTTPS is enabled: Ensure HTTPS is enabled in ADSelfService Plus. Navigate to Admin > Product Settings > Connection to verify and enable it.

Note: If you are using an untrusted certificate for HTTPS in ADSelfService Plus, you must disable the Restrict user access when there is an invalid SSL certificate option. You can find this setting under Configuration > Administrative Tools > GINA/Mac/Linux (Ctrl+Alt+Del) > GINA/Mac/Linux Customization > Advanced.

Access URL is configured: The Access URL configured in Admin > Product Settings > Connection > Configure Access URL will be used by the NPS extension to communicate with the ADSelfService Plus server. Ensure this URL is correctly updated before installing the NPS extension.

RADIUS server: You must use a Windows server (Windows Server 2008 R2 and above) with the Network Policy Server (NPS) role enabled to act as your RADIUS server.

User dial-in properties: In AD, set users' Network Access Permission to Control access through NPS Network Policy in their Dial-in properties.

NPS connection request policy: On the Windows NPS server where the NPS extension will be installed, set the authentication settings of the Connection Request Policy to authenticate requests on this server.

RADIUS authentication configured: Your Cisco ASA server must already be configured to use RADIUS authentication.

Steps to configure 2FA for Cisco SSL VPN

Step 1: Configuring MFA in ADSelfService Plus

1. Log in to ADSelfService Plus as an administrator.
2. Navigate to Configuration > Self-Service > Multi-Factor Authentication > Authenticators Setup.
3. Configure the authentication methods you wish to enable for MFA.

   

   Fig.1: Configuring authenticators in ADSelfService Plus

4. Navigate to the MFA for Endpoints section.
5. From the Choose the Policy drop-down menu, select the policy that will determine the users for whom MFA for Cisco ASA will be enabled.
6. In the MFA for VPN Login section:
   • Select the checkbox next to Enable the authentication factor(s) required for VPN logins.
   • Choose the desired number of authentication factors to be enforced.
   • Select the specific authentication methods to be used. You can rearrange the listed authentication methods by dragging and dropping them to your preferred order.

   

7. Click Save Settings.
8. Click the help icon next to MFA for VPN.
9. Download the NPS extension using the Download link provided in the pop-up window that appears.

   

Step 2: Install the NPS extension

1. Copy the downloaded extension file (ADSSPNPSExtension.zip) to the Windows server designated as your RADIUS server. Extract the contents of the ZIP file and save them to a chosen location.
2. Open Windows PowerShell (x64) as administrator and navigate to the folder where you extracted the extension files.
3. Execute the following command:

   PS C:\> .\setupNpsExtension.ps1 Install

   Note: If you need to uninstall the NPS extension plug-in or update it to a newer version, use Uninstall or Update respectively, instead of Install.
4. After the installation is complete, you will be prompted to restart the NPS Windows service. Proceed with the restart.
5. Configure a RADIUS client in the NPS service specifically for ADSelfService Plus. During this configuration, set a shared secret that you will use later when configuring your Cisco ASA.

Step 3: Configure your Cisco ASA

1. Navigate to AAA/Local Users → AAA Server Groups and click Add.
2. Provide a name for the AAA Server Group and select RADIUS as the Protocol.
3. Click OK to create the new server group.

   

4. Select the newly created AAA Server Group.
5. In the Add AAA Server pop-up window, enter the following information for your NPS server:
   • Interface Name: The ASA interface through which the NPS extension can be reached.
   • Server Name or IP Address: The hostname or IP address of the NPS server where the NPS extension is installed.
   • Timeout: Set a minimum of 60 seconds to allow sufficient time for MFA challenges.
   • Server Authentication Port: 1812
   • Server Accounting Port: Not required
   • Retry Interval: Set for a minimum of 10 seconds.
   • Server Secret Key: Enter the shared secret that you configured during the RADIUS client setup in Step 2 on the NPS server.
   • Microsoft CHAPv2 Capable: Leave this checkbox unselected if you are using challenge-based authenticators like ADSelfService Plus TOTP Authentication, Google Authenticator, Microsoft Authenticator, or Yubico OTP (hardware key authentication).
6. Click OK, and then OK again to save the new server.

   

7. Go to Network (Client) Access → AnyConnect Connection Profiles.
8. Select the connection profile to which you want to add 2FA and click Edit.
9. In the Authentication section of the Basic profile settings page, select the AAA Server Group you created previously.

   

10. Go to AnyConnect Connection Profiles. Navigate to Advanced > Secondary Authentication, and set Server Group to None.
11. Go to Network (Client) Access again, and navigate to AnyConnect Client Profile > Edit > At Preferences (Part 2) and set the Authentication Timeout (seconds) value to 60.
12. Uncheck the Use LOCAL if Server Group fails option.
13. Click OK, then click Apply.
14. Click Save to save all the configuration information to the ASA device memory.

Related topics and articles

How to configure MFA for Cisco AnyConnect VPN with ADSelfService Plus

MFA for VPN logins