Multi-Factor Authentication for Cisco AnyConnect VPN - RADIUS - Rublon

February 9, 2021 By Rublon Authors

Last updated on June 12, 2025

Note: If you are looking for a way to integrate Rublon with Cisco FTD Firepower Firewall, refer to MFA for Cisco AnyConnect VPN with Cisco FTD Firepower Firewall – RADIUS and MFA for Cisco AnyConnect VPN with Cisco FTD Firepower Firewall – LDAP(S).

Overview

The purpose of this document is to enable Rublon Two-Factor Authentication (2FA) for users logging in to Cisco AnyConnect VPN with ASA. In order to achieve that using RADIUS (e.g. FreeRADIUS) as your authentication source, you have to use Rublon Authentication Proxy, an on-premise RADIUS proxy server, which allows you to integrate Rublon with Cisco AnyConnect VPN to add Two-Factor Authentication to your VPN logins.

Demo Video

Supported Authentication Methods

Authentication Method	Supported	Comments
Mobile Push	✔	N/A
WebAuthn/U2F Security Key	–	N/A
Passcode	✔	N/A
SMS Passcode	–	N/A
SMS Link	✔	N/A
Phone Call	✔	N/A
QR Code	–	N/A
Email Link	✔	N/A
YubiKey OTP Security Key	✔	N/A

Demo Video

Before you start

You need to install and configure Rublon Authentication Proxy before configuring Cisco AnyConnect VPN with ASA to work with it. Read Rublon Authentication Proxy and follow the steps in Installation and Configuration sections. Afterwards, continue with this document.

Required Components

Cisco ASA Firewall with firmware, versions from 9.6(22) up.
ASDM software, version 7.8(2) or higher.
Rublon Authentication Proxy

Cisco ASA initial assumptions

Can communicate with Rublon Authentication Proxy.
Has a correctly configured “outside” interface.
Has its own properly configured SSL certificate (you can check it in: Configuration → Remote Access VPN → Clientless SSL VPN Access → Connection Profiles → Access Certificate → Device Certificate).
Enables access to its configuration by Cisco ASDM application.

Configuration

This section will guide you on how to use Rublon Authentication Proxy with Cisco AnyConnect VPN with ASA if you are using RADIUS as your authentication source.

1. Sign in to your Cisco ASA firewall with ASDM.

2. Click Configuration and then select Remote Access VPN (at the bottom of the page).

3. In the left pane, extend Clientless SSL VPN Access and select Connection Profiles.

4. Select a Connection Profile and click Edit to edit an existing profile or click Add to create a new Connection Profile.

5. Locate the Authentication section and select AAA in Method. Click Manage….

6. Click Add. Set a name for your server group and select RADIUS in Protocol.

7. Set Accounting Mode to Single.

8. Set Reactivation to Depletion.

9. Click OK.

10. Navigate to Servers just below and click Add to add your Rublon Authentication Proxy server.

11. Select the interface through which ASA is to communicate with Rublon Authentication Proxy.

12. Set Timeout to 60 seconds.

13. Set Server Authentication Port to 1812 and Server Accounting Port to 1813.

14. Set Retry Interval to 10 seconds.

15. Enter the RADIUS Secret set in Rublon Authentication Proxy as Server Secret Key in this form.

16. Set ACL Netmask Convert to Standard.

17. Click OK and then click OK again.

18. Go to Configuration → Remote Access VPN → Network (Client) Access → AnyConnect Connection Profiles and check SSL Enabled next to the name of your connection profile.

19. For AnyConnect client and Web connections to work, edit your Group Policy connected to your profile. Go to General → More Options and check Clientless SSL VPN and SSL VPN Client.

20. Click OK, then click OK again, and finally click Apply.

21. Changes will be sent to ASA. Your configuration is complete.

Log in to ASA VPN with Rublon 2FA

This example portrays logging in to Cisco ASA VPN via the Cisco WebVPN page. Mobile Push has been set as the second factor in Rublon Authentication Proxy configuration (AUTH_METHOD was set to push).

1. Open the Cisco WebVPN page.

2. Select your group.

3. Provide your username and password and click Login.

4. You will be sent an automatic push notification on your phone.

5. Tap APPROVE.

6. You will be logged in to Cisco ASA VPN.

Troubleshooting

Blast-RADIUS Vulnerability Protection

RADIUS integrations may enforce the validation of the Message-Authenticator RADIUS attribute as part of their mitigations for the Blast-RADIUS vulnerability.

The Rublon Authentication Proxy supports the Message-Authenticator attribute starting from version 3.5.3. The Rublon Auth Proxy uses the force_message_authenticator option in the configuration file (set to true by default) to safeguard against Blast-RADIUS attacks.

If you are experiencing issues with your RADIUS integration, ensure that the force_message_authenticator is set to true.

If you are using Rublon Authentication Proxy 3.5.2 or older, update to the newest available version.

If you encounter any issues with your Rublon integration, please contact Rublon Support.

Rublon Authentication Proxy

Rublon Authentication Proxy – Integrations