Leveraging Cisco AnyConnect to provide remote VPN access to corporate resources is vital to enable a remote workforce. More and more people are using Cisco AnyConnect and Cisco’s Adaptive Security Appliance (ASA) to perform work remotely. It is critical that strong two factor authentication is integrated into Cisco’s VPN solution. Cisco’s solution is mature and has a number of options to integrate authentication vendors. Natively, user certificates and specifically smartcards are supported. Additionally, Cisco provides SAML and RADIUS integrations with identity providers (IDPs). These standard patterns provide a simple way to integrate a company's IDP with Cisco’s VPN solution. A number of IDP vendors have good step-by-step guides on how to integrate their product with Cisco AnyConnect and ASA. This guide will walk through setting up Duo’s RADIUS Service for a standard Cisco ASA Server so that Yubico OTP can be used for MFA. See appendix for other IDP partner’s RADIUS setup guides.
For organizations with non-standard or complex deployments, it is recommended to contact Yubico Sales for more information.
A high level overview of the network configuration is shown below
Yubico OTP is supported across all platforms as it is just seen as keyboard input but it is important to just check that you select the most appropriate hardware interface, ie USB-A, USB-C or even the Lightning based authenticator.
Cisco AnyConnect with YubiOTP Support per Operating System
Example: Securing CiscoASA with DUO via RADIUS
In our example scenario we utilise an existing Duo implementation to extend the Yubico OTP authentication to the VPN infrastructure. Authentication will be to the local Active Directory first followed by secondary authentication via the Yubico OTP.
Preparing the RADIUS Service
To enable RADIUS within Duo there are a couple of steps
Enable the Cisco ASA VPN as a Duo application
Install the Duo RADIUS proxy within the on-premises infrastructure
Configure the connection between the local Cisco and the RADIUS proxy
Enabling RADIUS as an application is straightforward
Log into your Duo admin panel - https://admin.duosecurity.com
Navigate to Applications->Protect an Application
Search for “Cisco RADIUS VPN” and click Protect
Make note of the Integration Key, Secret Key and API Hostname
Apply any policies that are required for your home workers, in our example we are enforcing 2FA for our Working From Home users.
The Application Proxy acts as a RADIUS gateway between the local Cisco VPN and the Duo platform. Again the process is fairly straightforward.
Download the relevant gateway package
Refer to Duo documentation for the exact installation instructions, referenced at the end of this document.
Create a configuration file based on the information noted down from Application configuration.
Start the service
Example configuration file:
Cisco RADIUS Enablement
Once the Duo platform and the local proxy service has been configured then the Cisco VPN itself needs to be enabled to authenticate via the RADIUS service.
Whilst we are focusing on Cisco this process should be fairly standard across all VPN solutions as we are using a well defined networking solution in RADIUS.
There are two main actions that are required on the Cisco VPN
Create a AAA RADIUS authentication source
Create or modify a VPN profile to use the new service
Again, refer to the full documentation for detailed steps but the basic configuration is shown below
AAA RADIUS Server config, using the “radius_secret” defined above
Once the RADIUS service has been defined it can be added to an existing profile or a new one can be defined
Client Side usage
If users are already accustomed to using the Cisco AnyConnect client then there is very little change to how they already work. Additionally, there are no required changes to the users’ VPN client. The user flow is
Start VPN client and select required profile if more than one
Enter username in the appropriate field
Enter password, followed by a comma, then touch the YubiKey to generate the OTP plus a carriage return
E.g - Username: fred
DUO and Cisco resources
Admin Portal -
Duo Installation Guide -
Sample of other partner’s Cisco VPN integration resources
Cisco smart card integration
Ping Identity integration