3

Cisco ASA VPN Integration

Last Update bir yıl önce

How to return Group Attribute back to Cisco ASA for Access Policies Configure LoginTC using Secondary Authentication on Cisco ASA My Cisco ASA AnyConnect SSL VPN users receive multiple LoginTC requests. What can I do?

Configure LoginTC using Secondary Authentication on Cisco ASA

In order to continue to leverage existing AAA server group, the Secondary Authentication option can be used.



Here are instructions for configuring LoginTC as a Secondary Authentication on the Cisco ASA using Cisco ASDM. These instructions assume that a AAA Server Group for the LoginTC RADIUS Connector has already been created on the Cisco ASA (instructions: https://www.logintc.com/docs/connectors/cisco-asa.html#cisco-asa-configuration---quick-guide):


1. Navigate to Network (Client) Access > AnyConnect Connection Profiles and click Edit on your desired Connection Profile


2. In the left hand side navigate to Advanced > Secondary Authentication


3. Ensure that "Server Group" is set to your LoginTC AAA Server Group and that "User primary username" is checked

4. Click OK


Now we will set the secondary password field text to something more meaningful to the user.


5. Navigate to Network (Client) Access > AnyConnect Customization/Localization > GUI Text and Messages


6. Click Add and select the language you would like to change (I.e. "en")

7. Under "Second Password" enter in msgstr "LoginTC Password:"

NOTE 1: This is a fairly large file and it may be easier to "Save to File..". Edit the file with a text editor (i.e. Notepad) and search for "Second Password". Once finished, copy and paste the modified file back into this window.


NOTE 2: Depending on Cisco ASDM this may appear blank. You may need to click "Template" at the bottom of the GUI Text and Messages page and then click View > Save to File to get the original. For more information please see: http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/anyconnectadmin30/ac11customize.html#74038.


8. Click OK


9. Apply the Changes


The Cisco AnyConnect VPN Client customization will only be updated after it is restarted and a successful VPN connection is made. It should look like:

In the "LoginTC Password" field the user may enter "1" or "push" to proceed to the next screen. It can actually be any non-empty string.


They will then be presented with the Challenge window:

Here the user authenticates using the 6-digit software OTP or enters "1" to receive a notification to approve. Make sure to set the Authentication Mode to "Challenge" on the LoginTC RADIUS Connector for this behaviour (https://www.logintc.com/docs/connectors/cisco-asa.html#client-and-encryption).

Was this article helpful?

0 out of 0 liked this article

Still need help? Message Us