MFA for Cisco AnyConnect VPN

Cisco AnyConnect VPN MFA

Cisco AnyConnect is a popular RADIUS-based VPN solution used by many organizations to provide their remote workforce with access to resources hosted on their domain networks. This enables them to perform their enterprise tasks without any hiccups in productivity. These internally-hosted resources and applications often house critical, sensitive data, and hackers may try to infiltrate the solution in a bid to extort it. The Akira ransomware crisis that affected enterprises employing Cisco VPNs without MFA is one such example. While Cisco AnyConnect does maintain a robust authentication process to thwart such attempts, additional reinforcements are always beneficial.

ManageEngine ADSelfService Plus, a holistic MFA solution, is the answer to securing Cisco AnyConnect VPN logins. The solution offers advanced authentication methods, conditional access policies, and custom configuration and auditing capabilities to ensure your remote workforce enjoys protection against multiple forms of cyberattacks. ADSelfService Plus also assists organizations in staying compliant with regulations and mandates like NIST SP 800-63B, GDPR, HIPAA, NYCRR, FFIEC, and PCI DSS.

Employ advanced authenticators for Cisco ASA AnyConnect VPN

ADSelfService Plus supports the following authenticators for Cisco ASA AnyConnnect VPN MFA:

Biometrics and TOTP are possession and inherence authentication methods respectively, considered significantly more secure than knowledge-based factors. Using them to create your MFA policy can ensure protection from dictionary attacks, phishing, key-logging, and other forms of malicious attacks.

How to enable MFA for Cisco ASA AnyConnect VPN?

ADSelfService Plus' intuitive administrator portal prioritizes fine-grained and comprehensive VPN MFA policy configuration. Diverse MFA policies can be created and applied to Cisco AnyConnect users belonging to specific domain organizational units and groups. Admins can configure the preferred authenticators and enable them for the appropriate MFA policies. This way, users must undergo MFA flows reflective of their enterprise permissions and privileges.

1. The user opens the Cisco ASA AnyConnect VPN client.
2. The user completes the first stage of authentication using their AD domain credentials.
3. If successful, ADSelfService Plus initiates the MFA process involving up to three stages of authentication.
4. Once the user completes the MFA process, they are logged into Cisco AnyConnect VPN.

The ADSelfService Plus VPN MFA process also accommodates for vendor-specific RADIUS attributes that may determine access and authorization. The solution uses an NPS extension that relays the RADIUS request from the Cisco AnyConnect VPN server to ADSelfService Plus, and the RADIUS accept status back to the VPN server upon successful MFA. This response can also include response attributes that any custom Cisco AnyConnect attribute information that is passed on during the RADIUS request. This includes information such as group membership, resource permissions, and authorization.

Explore an interactive demo of the VPN MFA process!

Benefits of ADSelfService Plus' VPN MFA:

• Conditional access: ADSelfService Plus' conditional access feature enhances VPN MFA by applying specific authentication policies that evaluate conditions like IP address, geolocation, device type, and time of access before granting access. For example, MFA might be pared down only if the user is logging in from a trusted network and using a compliant device during work hours. This approach ensures that only secure, verified access attempts are successful, reducing the risk of unauthorized access while improving security posture.
• Real-time audits: ADSelfService Plus offers detailed, built-in reports that audit users' MFA attempts, and log crucial information including the time of MFA attempt, device type, IP address, and authenticator used. These logs can also be sent to a SIEM solution for further analysis and actionable response.
• Holistic endpoint protection: ADSelfService Plus doesn't stop at securing just VPN logins. The solution's expansive MFA feature fortifies all crucial endpoints in an enterprise including machines, enterprise applications, Microsoft OWA, and IIS applications. This helps enterprises formulate an enterprise-wide identity security strategy that is comprehensive and yet tailor-made for each department.

Supported VPN providers:

ADSelfService Plus' VPN MFA capability is built on the standard RADIUS protocol and supports all RADIUS-based VPN providers including:

You can enable MFA to secure non-VPN RADIUS endpoints such as Citrix Gateway, Microsoft Remote Desktop Gateway, and VMware Horizon View as well.