locked
what is expected when MFA server is integrated with cisco VPN any connect client, should there be a prompt for secondary pwd? RRS feed

  • Question

  • what is expected when MFA server is integrated with cisco VPN any connect client, should there be a prompt for secondary pwd?

    Azure MFA sever is configure and integrated with my ASA cisco VPN profile, wail testing i will receive the second auth pwd (sms txt)

    but nothing happens on the any connect client side, there is no prompt or anything to enter the code and login

    Thursday, June 30, 2016 7:13 PM

Answers

  • There is a guide for integrating Cisco ASA with MFA Server at https://azure.microsoft.com/en-us/documentation/articles/multi-factor-authentication-advanced-vpn-configurations/#cisco-asa-vpn-appliance-and-azure-multi-factor-authentication. If using one-way SMS or OATH tokens, you must use RADIUS and not LDAP. When the user enters their username and password into Cisco ASA, it sends a RADIUS Access request to MFA Server. When using one-way SMS or OATH tokens and RADIUS, MFA Server returns an Access Challenge response to the ASA to prompt the user for their OTP. You can customize the message that appears to the user in Company Settings-->Text Message and Company Settings-->OATH Token Text. The ASA will then pop up a box with a message prompting the user for the OTP. The user types in their OTP from the SMS message or mobile app/token and the ASA sends another Access request with the OTP. MFA Server validates the OTP and then returns the Access Accept or Reject. If using phone call, two-way text or mobile app notifications, MFA Server just returns the Accept or Reject without having to do a Challenge response. With two-way SMS, the user responds to the text message with the OTP received. It's only recommended for use in North America.
    Friday, July 1, 2016 5:33 PM

All replies

  • Hello,

    We are checking on the query and would get back to you soon on this.
    I apologize for the inconvenience and appreciate your time and patience in this matter.

    Regards,
    Neelesh

    Friday, July 1, 2016 1:13 PM
  • There is a guide for integrating Cisco ASA with MFA Server at https://azure.microsoft.com/en-us/documentation/articles/multi-factor-authentication-advanced-vpn-configurations/#cisco-asa-vpn-appliance-and-azure-multi-factor-authentication. If using one-way SMS or OATH tokens, you must use RADIUS and not LDAP. When the user enters their username and password into Cisco ASA, it sends a RADIUS Access request to MFA Server. When using one-way SMS or OATH tokens and RADIUS, MFA Server returns an Access Challenge response to the ASA to prompt the user for their OTP. You can customize the message that appears to the user in Company Settings-->Text Message and Company Settings-->OATH Token Text. The ASA will then pop up a box with a message prompting the user for the OTP. The user types in their OTP from the SMS message or mobile app/token and the ASA sends another Access request with the OTP. MFA Server validates the OTP and then returns the Access Accept or Reject. If using phone call, two-way text or mobile app notifications, MFA Server just returns the Accept or Reject without having to do a Challenge response. With two-way SMS, the user responds to the text message with the OTP received. It's only recommended for use in North America.
    Friday, July 1, 2016 5:33 PM
  • Hi

    thank you and sorry for the delay

    strange in the same link the LDAP doc is there and nothing is saying that it wont work

    anyway i have changed the configuration to radious and now i am getting the attached error

    Monday, July 18, 2016 7:41 AM
  • done i am getting the message new

    looks like this error is related to my subscription being expired

    Monday, July 18, 2016 6:54 PM