Last updated on July 1, 2026
Note: If you are looking for a way to integrate Rublon with Cisco FTD Firepower Firewall, refer to MFA for Cisco AnyConnect VPN with Cisco FTD Firepower Firewall – RADIUS and MFA for Cisco AnyConnect VPN with Cisco FTD Firepower Firewall – LDAP(S).
Overview
Enable Entra ID logins to Cisco AnyConnect VPN with ASA using Rublon MFA
If Cisco AnyConnect VPN with ASA authenticates users through LDAP or RADIUS, you can use Rublon Authentication Proxy to validate primary credentials against Microsoft Entra ID and then enforce Rublon MFA. This allows users to sign in to Cisco AnyConnect VPN with ASA with Microsoft Entra ID credentials, even when Cisco AnyConnect VPN with ASA does not support Microsoft Entra ID, SAML, OAuth 2.0, or OpenID Connect natively.
See how to authenticate LDAP and RADIUS with Microsoft Entra ID credentials and MFA, or explore the related use case: Microsoft Entra ID logins for LDAP and RADIUS applications with MFA.
Demo Video
Supported Authentication Methods
| Authentication Method | Supported | Comments |
| Mobile Push | ✔ | N/A |
| FIDO | ✔ | N/A |
| Passcode | ✔ | N/A |
| SMS Passcode | ✔ | N/A |
| SMS Link | ✔ | N/A |
| Phone Call | ✔ | N/A |
| QR Code | ✔ | N/A |
| Email Link | ✔ | N/A |
| YubiKey OTP | ✔ | N/A |
| RFID | – | N/A |
Before you start
Required Components
- Cisco ASA Firewall with firmware, versions from 9.6(22) up.
- ASDM software, version 7.8(2) or higher.
- Rublon Authentication Proxy
Cisco ASA initial assumptions
- Can communicate with Rublon Authentication Proxy.
- Has a correctly configured “outside” interface.
- Has its own properly configured SSL certificate (you can check it in: Configuration → Remote Access VPN → Clientless SSL VPN Access → Connection Profiles → Access Certificate → Device Certificate).
- Enables access to its configuration by the Cisco ASDM application.
Configuration
This section will guide you on how to use Rublon Authentication Proxy with Cisco AnyConnect VPN with ASA if you are using RADIUS as your authentication source.
1. Sign in to your Cisco ASA firewall with ASDM.
2. Click Configuration and then select Remote Access VPN (at the bottom of the page).
3. In the left pane, extend Clientless SSL VPN Access and select Connection Profiles.
4. Select a Connection Profile and click Edit to edit an existing profile or click Add to create a new Connection Profile.

5. Locate the Authentication section and select AAA in Method. Click Manage….
6. Click Add. Set a name for your server group and select RADIUS in Protocol.
7. Set Accounting Mode to Single.
8. Set Reactivation to Depletion.

14. Set Retry Interval to 10 seconds.
15. Enter the RADIUS Secret set in Rublon Authentication Proxy as Server Secret Key in this form.
16. Set ACL Netmask Convert to Standard.

17. Click OK and then click OK again.
18. Go to Configuration → Remote Access VPN → Network (Client) Access → AnyConnect Connection Profiles and check SSL Enabled next to the name of your connection profile.
19. For AnyConnect client and Web connections to work, edit your Group Policy connected to your profile. Go to General → More Options and check Clientless SSL VPN and SSL VPN Client.
20. Click OK, then click OK again, and finally click Apply.
21. Changes will be sent to ASA. Your configuration is complete.
Log in to ASA VPN with Rublon 2FA
This example portrays logging in to Cisco ASA VPN via the Cisco WebVPN page. Mobile Push has been set as the second factor in Rublon Authentication Proxy configuration (AUTH_METHOD was set to push).
1. Open the Cisco WebVPN page.
2. Select your group.
3. Provide your username and password and click Login.


5. Tap APPROVE.
6. You will be logged in to Cisco ASA VPN.

