Last updated on July 8, 2025
Overview of MFA for Cisco AnyConnect VPN with Cisco FTD Firepower Firewall
This documentation describes how to integrate Rublon MFA with Cisco FTD Firepower Firewall using the LDAP protocol to enable multi-factor authentication for logins using the Cisco AnyConnect VPN.
Demo Video
Supported Authentication Methods
Before You Start Configuring MFA for Cisco AnyConnect VPN with Cisco FTD Firepower Firewall using LDAP
Before configuring Rublon MFA for Cisco AnyConnect VPN with Cisco FTD Firepower Firewall:
- Ensure you have prepared all required components.
- Create an application in the Rublon Admin Console.
- Install the Rublon Authenticator mobile app.
Required Components
1. User Identity Provider (IdP) – You need an external Identity Provider, such as Microsoft Active Directory or OpenLDAP.
2. Rublon Authentication Proxy – Install the Rublon Authentication Proxy if you have not already and configure the Rublon Authentication Proxy as an LDAP proxy.
3. Cisco AnyConnect VPN with Cisco FTD Firepower Firewall – A properly installed and configured Cisco AnyConnect VPN and Cisco FTD Firepower Firewall.
Create an Application in the Rublon Admin Console
1. Sign up for the Rublon Admin Console. Here’s how.
2. In the Rublon Admin Console, go to the Applications tab and click Add Application.
3. Enter a name for your application (e.g., Cisco VPN) and then set the type to Rublon Authentication Proxy.
4. Click Save to add the new application in the Rublon Admin Console.
Install Rublon Authenticator
Some end-users will probably use the Rublon Authenticator mobile app. So, as a person configuring MFA for Cisco AnyConnect VPN with Cisco FTD Firepower Firewall, we highly recommend you install the Rublon Authenticator mobile app, too. Thanks to that, you will be able to test MFA for Cisco AnyConnect VPN with Cisco FTD Firepower Firewall via Mobile Push.
Download the Rublon Authenticator for:
Configuring Multi-Factor Authentication (MFA) for Cisco AnyConnect VPN with Cisco FTD Firepower Firewall using LDAP
1. Log in to Cisco FTD Device Manager.
2. From the top bar, select Objects and then select Identity Sources from the left pane.
3. Click the plus icon and select AD Realm.
4. Create a new identity realm and click OK to save the realm. Refer to the following images and table.
| Name | A name for the AD/LDAP connection |
| Directory Username | The Bind DN of the user from your AD/LDAP in LDAP notation (e.g., CN=rublonadmin,OU=Rublon,dc=rublondemo,dc=local) |
| Directory Password | The password of the user defined in Directory Username |
| Base DN | Base DN from your AD/LDAP (where to search for users), e.g., OU=Rublon,dc=rublondemo,dc=local |
| AD Primary Domain | The name of your domain (e.g., rublondemo.local) |
| Hostname / IP Address | The IP address of the Rublon Authentication Proxy server |
| Port | The port of the Rublon Auth Proxy server (389 for LDAP or 636 for LDAPS) |
| Interface | Select the interface where the Rublon Auth Proxy server is available |
| Encryption | Select LDAPs for LDAPS |
| Trusted CA Certificate | Select a trusted CA cert for LDAPS |
| TEST | Click TEST to verify your settings. Upon successful connection, you should see “Connection to realm is successful.” |
5. Deploy your configuration to save the new Identity Source.
6. Now, you need to specify the new Identity Source in the Cisco Remote VPN configuration. From the top bar, select Device: <hostname> (where <hostname> is the name of your instance) and then select View Configuration in the Remote Access VPN section.
7. View the configuration of your existing Remote Access VPN.
8. Edit the configuration of your Remote Access VPN.
9. Add the Rublon Auth Proxy Identity Source under Primary Identity Source for User Authentication.
10. Save and close your Remote Access VPN Settings, and then deploy changes to Cisco FTD.
Testing Multi-Factor Authentication (MFA) for Cisco AnyConnect VPN with Cisco FTD Firepower Firewall Integrated Via LDAP
This example portrays logging in to Cisco AnyConnect VPN with Cisco FTD Firepower Firewall with Rublon Multi-Factor Authentication. Mobile Push has been set as the second factor in Rublon Authentication Proxy configuration (AUTH_METHOD was set to push).
1. Open the Cisco AnyConnect Secure Mobility Client and connect to your public FQDN/IP of the Remote Access VPN
2. Enter the username and password from your Active Directory/OpenLDAP server.
3. Rublon will send a Mobile Push authentication request to your phone. Tap APPROVE.
4. You will be logged in to Cisco AnyConnect VPN with Cisco FTD Firepower Firewall.
Troubleshooting MFA for Cisco AnyConnect VPN with Cisco FTD Firepower Firewall Using LDAP
If you encounter any issues with your Rublon integration, please contact Rublon Support.
