Cisco AnyConnect is a uniform security endpoint agent which deliver multiple security services to protect the enterprise. Also, it provides visibility along with the control which is required you to identify who and which devices are accessing the extended enterprise.
You can enable two-factor authentication (2FA) for your Cisco AnyConnect Managed AD directory to increase security level. When you enable 2FA, your users enter their username and password (first factor) as usual, and they have to enter an authentication code (the second factor) which will share on your virtual or hardware 2FA solution.
To enable 2FA you can enable RADIUS authentication in Cisco AnyConnect and configure policies in miniOrange to enable or disable 2FA for users.
miniOrange 2FA for VPN Login
miniOrange accomplishes this by acting as a RADIUS server, that accepts the username/password of the user entered as a RADIUS request, validates the user against the user store as Active Directory ( AD ), prompts him for the 2-factor authentication and either grants/revokes access based on the input by the user.
Types of 2FA Authentication with RADIUS
The 2-factor authentication can be of two types depending on the VPN clients.
In VPN Clients that support RADIUS Challenge :
- VPN Clients that support RADIUS Challenge.
- VPN Clients that do not support RADIUS Challenge.
- First step is user's username & password get validated against the credentials stored in Active Directory and 2nd request sends a success response, this request is sent to validate the 2-factor authentication of the user, on successful authentication user is granted access to the application.
- Authentication methods : All Authentication methods supported by miniOrange. Software Token, Push Notification, OTP over Email to name a few.
- RADIUS Clients that support this authentication type:
-> Palo Alto
-> Cisco AnyConnect
Enable Two-Factor Authentication for Cisco AnyConnect with miniOrange
Guidelines to configure RADIUS authentication in Cisco AnyConnect Secure Connect with miniOrange.
Step 1: Add the Radius Client in miniOrange
- Login into the Admin Dashboard.
- Click on Apps >> Manage Apps.
- Click on Configure Apps.
- Select Radius tab and select Radius Client.
- Configure details below to add Radius Client.
||Cisco AnyConnect Secure or any other name for your reference
||IP address of Cisco AnyConnect Secure VPN server which will send Radius authentication request
||Security key (Keep this with you, you will need to configure same in Cisco AnyConnect Secure)
- Click on Save.
Step 2: Enable 2 factor authentication
- Click on Policies tab >> App Authentication Policy.
- Click on Add Policy tab
- In Step 1 Select “Cisco AnyConnect Secure” in Application section.
- In Step 2 Select “DEFAULT” in Group Name and enter Policy name as “Cisco AnyConnect Secure” add policy then Select First factor as “PASSWORD”.
- Enable Second factor then click on Save.
Step 3: Setup LDAP authentication ( OPTIONAL)
- Select User Stores then click on Add User Store.
- Select “AD/LDAP” tab and configure it with your LDAP settings.
||Active Directory or your directory type
|LDAP Server URL
||Your AD server URL or IP address
|Bind Account DN
||Click on AD FS>>Domain>>respective Users>> Properties>>Attribute Editor then copy the value of distinguishedName & paste it against Bind Account DN.
|Bind Account Password
||Password for Bind user account above
||Search Base is a user search location. It means where to search for a user.Example: cn=users,dc=miniorange,dc=com
||If you want to add extra conditions on user search you can add it in Search Filter.Example:(&(objectClass=*)(mail=?))(&(objectClass=*)(samaccountname=?))
- Enable “Active LDAP” and “Sync user in miniOrange” option and click on save.
- Click on Test Configuration to check whether you have enter valid details. For that, it will ask for username & password.
- After this, it will show you the list of User stores. Click on “ Make Default “.
Step 4: Configure Cisco AnyConnect with miniOrange RADIUS server
- Login to Cisco ASA ASDM.
- Click on AAA Local Users >> AAA Server Groups >> Add.
||Indicates how accounting messages are sent. Recommended single mode.
||Specifies the method by which failed servers are reactivated.
||Time for which a RADIUS server is skipped over by transaction requests
|Max Failed Attempts
||Maximum number of retransmission attempts. Recommended 1.
- Select "Protocol" as RADIUS then Click on "Add".
- Select the newly created group and Under Servers in the Selected Group click on Add .
|| Name of protected Cisco interface.
|Server Authentication Port
||RADIUS authentication port.
||It should be 1812
|Server Accounting Port
||RADIUS accounting port
||It should be 1813
||Length of time between retries
|Server Secret Key
|| It shared between the miniOrange RADIUS Connector and its client
|Microsoft CHAPv2 Capable
||Whether or not the RADIUS server uses CHAPv2.
||It should be unchecked
- Click on Clientless SSL VPN Access >> Connection Profiles.
- Select Default WEB VPNGroup and click on Edit.
- For the AAA Server Group select group made in steps 3-5.
- Click on Ok .
Step 5 : Configure Timeout for Cisco Anyconnect
Cisco AnyConnect client will timeout after 12 seconds on Windows and after 30 seconds on Mac OS X by default.
- Click on AnyConnect Client Profile then click on Add button .
- Uncheck Auto Reconnect option.
- In the sidebar, click on Preferences(Cont) and scroll down then enter 60 for Authentication Timeout Values (or 10 seconds longer than the AAA RADIUS server timeout and 20 seconds longer than the LoginTC RADIUS Connector Request Timeout)
- Click on Ok .
- In the sidebar, click on Server List >> Add to add a server.
- Enter the FQDN of your Cisco ASA VPN exposed end-point in the Hostname and a hostname or IP Address in the Host Address then click on ok .
- Click on Apply .
- Click on Group Policies which is under Network (Client) Access.
- Click on the group policy which you have assigned to your VPN (e.g. DfltGrpPolicy).
- Under Advanced >> AnyConnect Client Select your profile.
- Click on Configuer >> Remote Access VPN >> Network (Client) Access >> AnyConnect Customization/Localization >> GUI Text and Messages.
- Now, Edit the language file as msgid for "Second Password" and msgstr for "VIP Access Security Code"
Step 6 : miniOrange 2FA for Cisco AnyConnect Login
We offer Security Solutions of Single Sign-On, Two Factor Authentication, Fraud Prevention and much more.
Please call us at +1978 658 9387 (US), +91 77966 99612 (India) or email us at firstname.lastname@example.org