Cisco 2 factor authentication

Has anyone setup two factor VPN using a Cisco ASA VPN solution?
What sort of soft client based dual factor authentication options were used for the Cisco VPNs (e.g. Symantec VIP, Google authenticator, Azure authenticator, RSA, etc.)
I am trying to find what infrastructure is needed to come up with the solution.

Please contact me of list

Ray Ludendorff

Any radius based auth works well I've used a solution by secure envoy I the past which seems to work well they also have soft token apps, hard tokens plus SMS based.

However, a cautionary note there is that RADIUS protocol itself uses
only weak cryptography and is not secure on the wire.

That is, in the absence of AES Keywrap proprietary extension Or when
the method of credential used is not authentication using a
Client-side Certificate (PKI) as in *EAP.

Specifically: if RADIUS is used for the Authentication stage of AAA
with a code sent by SMS or OATH token [User types Normal password +
One Time Password], then when traffic between RADIUS server and VPN
device is captured: The user credentials may be exposed with the
extremely weak crypto protection RADIUS or NTLM provides for the
user password.

If a user re-uses their same password somewhere else on a device not
requiring 2FA, then capturing RADIUS traffic could be an effective
privilege escalation By copying victim's password from a sniffed
RADIUS exchange.

As per other statements of such seen elsewhere online, do you have examples or code which will allow the recovery of passwords in a radius exchange? Yes, the shared secret mechanism is widely stated as 'weak' but actively attacked?


The radius protocol traffic can be encrypted with ipsec policies...if
confidentiality of the radius traffic is a concern ( particularly if
traversing untrusted networks)

We use Phonefactor (now azure authenticator) with anyconnect vpn. It sits
in front of LDAP/AD and integrates with it. It an be a PITA but it works.