• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

Company · Blog · Newsletter · Events · Partner Program

Downloads      Support      Security     Admin Login
Rublon

Rublon

Secure Remote Access

  • Product
    • Regulatory Compliance
    • Use Cases
    • Rublon Reviews
    • Authentication Basics
    • What is MFA?
    • Importance of MFA
    • User Experience
    • Authentication Methods
    • Rublon Authenticator
    • Remembered Devices
    • Logs
    • Single Sign-On
    • Access Policies
    • Directory Sync
  • Solutions
    • MFA for Remote Desktop
    • MFA for Remote Access Software
    • MFA for Windows Logon
    • MFA for Linux
    • MFA for Active Directory
    • MFA for LDAP
    • MFA for RADIUS
    • MFA for SAML
    • MFA for RemoteApp
    • MFA for Workgroup Accounts
    • MFA for Entra ID
  • Customers
  • Industries
    • Financial Services
    • Investment Funds
    • Retail
    • Technology
    • Healthcare
    • Legal
    • Education
    • Government
  • Pricing
  • Docs
Contact Sales Free Trial

Multi-Factor Authentication (2FA/MFA) for Cisco AnyConnect VPN with ASA – RADIUS

2FA/MFA for Cisco AnyConnect VPN using RADIUS

February 9, 2021 By Rublon Authors

Last updated on June 12, 2025

Note: If you are looking for a way to integrate Rublon with Cisco FTD Firepower Firewall, refer to MFA for Cisco AnyConnect VPN with Cisco FTD Firepower Firewall – RADIUS and MFA for Cisco AnyConnect VPN with Cisco FTD Firepower Firewall – LDAP(S).

Overview

The purpose of this document is to enable Rublon Two-Factor Authentication (2FA) for users logging in to Cisco AnyConnect VPN with ASA. In order to achieve that using RADIUS (e.g. FreeRADIUS) as your authentication source, you have to use Rublon Authentication Proxy, an on-premise RADIUS proxy server, which allows you to integrate Rublon with Cisco AnyConnect VPN to add Two-Factor Authentication to your VPN logins.

Demo Video

Supported Authentication Methods

Authentication Method Supported Comments
Mobile Push ✔ N/A
WebAuthn/U2F Security Key – N/A
Passcode ✔ N/A
SMS Passcode – N/A
SMS Link ✔ N/A
Phone Call ✔ N/A
QR Code – N/A
Email Link ✔ N/A
YubiKey OTP Security Key ✔ N/A

Demo Video

Before you start

You need to install and configure Rublon Authentication Proxy before configuring Cisco AnyConnect VPN with ASA to work with it. Read Rublon Authentication Proxy and follow the steps in Installation and Configuration sections. Afterwards, continue with this document.

Required Components

  • Cisco ASA Firewall with firmware, versions from 9.6(22) up.
  • ASDM software, version 7.8(2) or higher.
  • Rublon Authentication Proxy

Cisco ASA initial assumptions

  • Can communicate with Rublon Authentication Proxy.
  • Has a correctly configured “outside” interface.
  • Has its own properly configured SSL certificate (you can check it in: Configuration → Remote Access VPN → Clientless SSL VPN Access → Connection Profiles → Access Certificate → Device Certificate).
  • Enables access to its configuration by Cisco ASDM application.

Configuration

This section will guide you on how to use Rublon Authentication Proxy with Cisco AnyConnect VPN with ASA if you are using RADIUS as your authentication source.

1. Sign in to your Cisco ASA firewall with ASDM.

2. Click Configuration and then select Remote Access VPN (at the bottom of the page).

3. In the left pane, extend Clientless SSL VPN Access and select Connection Profiles.

4. Select a Connection Profile and click Edit to edit an existing profile or click Add to create a new Connection Profile.

5. Locate the Authentication section and select AAA in Method. Click Manage….

6. Click Add. Set a name for your server group and select RADIUS in Protocol.

7. Set Accounting Mode to Single.

8. Set Reactivation to Depletion.

9. Click OK.

10. Navigate to Servers just below and click Add to add your Rublon Authentication Proxy server.

11. Select the interface through which ASA is to communicate with Rublon Authentication Proxy.

12. Set Timeout to 60 seconds.

13. Set Server Authentication Port to 1812 and Server Accounting Port to 1813.

14. Set Retry Interval to 10 seconds. 

15. Enter the RADIUS Secret set in Rublon Authentication Proxy as Server Secret Key in this form.

16. Set ACL Netmask Convert to Standard.

17. Click OK and then click OK again.

18. Go to Configuration → Remote Access VPN → Network (Client) Access → AnyConnect Connection Profiles and check SSL Enabled next to the name of your connection profile.

19. For AnyConnect client and Web connections to work, edit your Group Policy connected to your profile. Go to General → More Options and check Clientless SSL VPN and SSL VPN Client.

20. Click OK, then click OK again, and finally click Apply.

21. Changes will be sent to ASA. Your configuration is complete.

Log in to ASA VPN with Rublon 2FA

This example portrays logging in to Cisco ASA VPN via the Cisco WebVPN page. Mobile Push has been set as the second factor in Rublon Authentication Proxy configuration (AUTH_METHOD was set to push).

1. Open the Cisco WebVPN page.

2. Select your group.

3. Provide your username and password and click Login.

4. You will be sent an automatic push notification on your phone.

5. Tap APPROVE.

6. You will be logged in to Cisco ASA VPN.

Troubleshooting

Blast-RADIUS Vulnerability Protection

RADIUS integrations may enforce the validation of the Message-Authenticator RADIUS attribute as part of their mitigations for the Blast-RADIUS vulnerability.

The Rublon Authentication Proxy supports the Message-Authenticator attribute starting from version 3.5.3. The Rublon Auth Proxy uses the force_message_authenticator option in the configuration file (set to true by default) to safeguard against Blast-RADIUS attacks.

If you are experiencing issues with your RADIUS integration, ensure that the force_message_authenticator is set to true.

If you are using Rublon Authentication Proxy 3.5.2 or older, update to the newest available version.

If you encounter any issues with your Rublon integration, please contact Rublon Support.

Related Posts

Rublon Authentication Proxy

Rublon Authentication Proxy – Integrations

Filed Under: Documentation

Primary Sidebar

Contents

  • Overview
  • Demo Video
  • Supported Authentication Methods
  • Demo Video
  • Before you start
    • Required Components
    • Cisco ASA initial assumptions
  • Configuration
  • Log in to ASA VPN with Rublon 2FA
  • Troubleshooting
  • Related Posts
Try Rublon for Free
Start your 30-day Rublon Trial to secure your employees using multi-factor authentication.
No Credit Card Required


Footer

Product

  • Regulatory Compliance
  • Use Cases
  • Rublon Reviews
  • Authentication Basics
  • What is MFA?
  • Importance of MFA
  • User Experience
  • Authentication Methods
  • Rublon Authenticator
  • Remembered Devices
  • Logs
  • Single Sign-On
  • Access Policies
  • Directory Sync

Solutions

  • MFA for Remote Desktop
  • MFA for Windows Logon
  • MFA for Remote Access Software
  • MFA for Linux
  • MFA for Active Directory
  • MFA for LDAP
  • MFA for RADIUS
  • MFA for SAML
  • MFA for RemoteApp
  • MFA for Workgroup Accounts
  • MFA for Entra ID

Industries

  • Financial Services
  • Investment Funds
  • Retail
  • Technology
  • Healthcare
  • Legal
  • Education
  • Government

Documentation

  • 2FA for Windows & RDP
  • 2FA for RDS
  • 2FA for RD Gateway
  • 2FA for RD Web Access
  • 2FA for SSH
  • 2FA for OpenVPN
  • 2FA for SonicWall VPN
  • 2FA for Cisco VPN
  • 2FA for Office 365

Support

  • Knowledge Base
  • FAQ
  • System Status

About

  • About Us
  • Blog
  • Events
  • Co-funded by the European Union
  • Contact Us

  • Facebook
  • GitHub
  • LinkedIn
  • Twitter
  • YouTube

© 2025 Rublon · Imprint · Legal & Privacy · Security

  • English