Two Factor Authentication for Cisco AnyConnect

Cisco AnyConnect

Cisco AnyConnect is a uniform security endpoint agent which deliver multiple security services to protect the enterprise. Also, it provides visibility along with the control which is required you to identify who and which devices are accessing the extended enterprise.

You can enable two-factor authentication (2FA) for your Cisco AnyConnect Managed AD directory to increase security level. When you enable 2FA, your users enter their username and password (first factor) as usual, and they have to enter an authentication code (the second factor) which will share on your virtual or hardware 2FA solution. To enable 2FA you can enable RADIUS authentication in Cisco AnyConnect and configure policies in miniOrange to enable or disable 2FA for users.

miniOrange 2FA for VPN Login

miniOrange accomplishes this by acting as a RADIUS server, that accepts the username/password of the user entered as a RADIUS request, validates the user against the user store as Active Directory ( AD ), prompts him for the 2-factor authentication and either grants/revokes access based on the input by the user.

Types of 2FA Authentication with RADIUS

The 2-factor authentication can be of two types depending on the VPN clients.

VPN Clients that support RADIUS Challenge.
VPN Clients that do not support RADIUS Challenge.

In VPN Clients that support RADIUS Challenge :

First step is user's username & password get validated against the credentials stored in Active Directory and 2nd request sends a success response, this request is sent to validate the 2-factor authentication of the user, on successful authentication user is granted access to the application.
Authentication methods : All Authentication methods supported by miniOrange. Software Token, Push Notification, OTP over Email to name a few.
RADIUS Clients that support this authentication type:
-> OpenVPN
-> Palo Alto
-> Fortinet
-> Cisco AnyConnect

2-factor authentication VPN Cisco AnyConnect Support chart

Enable Two-Factor Authentication for Cisco AnyConnect with miniOrange

Guidelines to configure RADIUS authentication in Cisco AnyConnect Secure Connect with miniOrange.

Step 1: Add the Radius Client in miniOrange

Login into the Admin Dashboard.
Click on Apps >> Manage Apps.
Click on Configure Apps.
Select Radius tab and select Radius Client.

2-factor authentication VPN Cisco AnyConnect radius client add app

Configure details below to add Radius Client.

Client Name:	Cisco AnyConnect Secure or any other name for your reference
Client IP:	IP address of Cisco AnyConnect Secure VPN server which will send Radius authentication request
Shared Secret:	Security key (Keep this with you, you will need to configure same in Cisco AnyConnect Secure)

Click on Save.

2-factor authentication VPN Cisco AnyConnect radius client application

Step 2: Enable 2 factor authentication

Click on Policies tab >> App Authentication Policy.

2-factor authentication VPN Cisco AnyConnect radius client authentication policy

Click on Add Policy tab
In Step 1 Select “Cisco AnyConnect Secure” in Application section.
In Step 2 Select “DEFAULT” in Group Name and enter Policy name as “Cisco AnyConnect Secure” add policy then Select First factor as “PASSWORD”.
Enable Second factor then click on Save.

Step 3: Setup LDAP authentication ( OPTIONAL)

Select User Stores then click on Add User Store.

2-factor authentication VPN Cisco AnyConnect radius client connector add user store

Select “AD/LDAP” tab and configure it with your LDAP settings.

2-factor authentication VPN Cisco AnyConnect User Store

Area	Field value
Directory Type	Active Directory or your directory type
LDAP Server URL	Your AD server URL or IP address
Bind Account DN	Click on AD FS>>Domain>>respective Users>> Properties>>Attribute Editor then copy the value of distinguishedName & paste it against Bind Account DN.
Bind Account Password	Password for Bind user account above
Search Bases	Search Base is a user search location. It means where to search for a user.Example: cn=users,dc=miniorange,dc=com
Search Filter	If you want to add extra conditions on user search you can add it in Search Filter.Example:(&(objectClass=)(mail=?))(&(objectClass=)(samaccountname=?))

Enable “Active LDAP” and “Sync user in miniOrange” option and click on save.

2-factor authentication VPN Cisco AnyConnect radius client active ldap save

Click on Test Configuration to check whether you have enter valid details. For that, it will ask for username & password.

2-factor authentication VPN Cisco AnyConnect radius client username

After this, it will show you the list of User stores. Click on “ Make Default “.

2-factor authentication VPN Cisco AnyConnect radius client make default

Step 4: Configure Cisco AnyConnect with miniOrange RADIUS server

2-factor authentication VPN Cisco AnyConnect radius client loginpage

Click on AAA Local Users >> AAA Server Groups >> Add.

2-factor authentication VPN Cisco AnyConnect radius client local user

Property	Explanation
Accounting Mode	Indicates how accounting messages are sent. Recommended single mode.
Reactivation Mode	Specifies the method by which failed servers are reactivated.
Dead Time	Time for which a RADIUS server is skipped over by transaction requests
Max Failed Attempts	Maximum number of retransmission attempts. Recommended 1.

Select "Protocol" as RADIUS then Click on "Add".
Select the newly created group and Under Servers in the Selected Group click on Add .

2-factor authentication VPN Cisco AnyConnect radius client ssl vpn protocol

Property	Explanation	Example
Interface Name	Name of protected Cisco interface.	inside
Timeout	Authentication timeout.	60
Server Authentication Port	RADIUS authentication port.	It should be 1812
Server Accounting Port	RADIUS accounting port	It should be 1813
Retry Interval	Length of time between retries	5
Server Secret Key	It shared between the miniOrange RADIUS Connector and its client
Microsoft CHAPv2 Capable	Whether or not the RADIUS server uses CHAPv2.	It should be unchecked

Click on Clientless SSL VPN Access >> Connection Profiles.
Select Default WEB VPNGroup and click on Edit.

2-factor authentication VPN Cisco AnyConnect radius client web vpngroup

For the AAA Server Group select group made in steps 3-5.
Click on Ok .

Step 5 : Configure Timeout for Cisco Anyconnect

Click on AnyConnect Client Profile then click on Add button .

Uncheck Auto Reconnect option.

2-factor authentication VPN Cisco AnyConnect radius client auto reconnect

In the sidebar, click on Preferences(Cont) and scroll down then enter 60 for Authentication Timeout Values (or 10 seconds longer than the AAA RADIUS server timeout and 20 seconds longer than the LoginTC RADIUS Connector Request Timeout)

Click on Ok .
In the sidebar, click on Server List >> Add to add a server.

Enter the FQDN of your Cisco ASA VPN exposed end-point in the Hostname and a hostname or IP Address in the Host Address then click on ok .

Click on Apply .
Click on Group Policies which is under Network (Client) Access.
Click on the group policy which you have assigned to your VPN (e.g. DfltGrpPolicy).

2-factor authentication VPN Cisco AnyConnect radius client group policies

Under Advanced >> AnyConnect Client Select your profile.

Click on Configuer >> Remote Access VPN >> Network (Client) Access >> AnyConnect Customization/Localization >> GUI Text and Messages.
Now, Edit the language file as msgid for "Second Password" and msgstr for "VIP Access Security Code"

Step 6 : miniOrange 2FA for Cisco AnyConnect Login

Connect to Cisco Cisco AnyConnect.
Enter Username, Password and Second Password.

2-factor authentication VPN Cisco AnyConnect radius login Page

For Further Details:

Two Factor authentication

Clientless VPN SSL

Configure Cisco AnyConnect Secure Mobility Client