Integrations/VPN/cisco-anyconnect-vpn
AnyConnect · ASA · RADIUS

MFA for Cisco AnyConnect

Cisco AnyConnect on the ASA is the remote-access backbone for thousands of enterprises — and a favorite target, because a username and password is often all that stands between the internet and the inside network. The ASA authenticates AnyConnect users against a RADIUS AAA server but provides no native MFA. Authnull becomes that AAA server (or proxies your existing one) and enforces a second factor on every AnyConnect session. You add an aaa-server group pointing at Authnull, attach it to the tunnel-group, and a push or OTP challenge is required before the VPN connects.

At a glance
VendorCisco (ASA / FTD)
Connects viaRADIUS
ProtectsRemote-access VPN
DeploymentAgentless
Setup time20 minutes
No rip-and-replace — sits in front of your existing setup
How Authnull connects

Cisco AnyConnect forwards the login; Authnull adds the factor.

Cisco AnyConnect
user connects
Authnull
RADIUS
Directory
AD / LDAP
User device
approve factor

The ASA forwards the login to Authnull over RADIUS; Authnull validates against AD/LDAP, challenges for the factor, and returns Access-Accept. Use a generous auth timeout on the tunnel-group so the push has time to land.

Setup

Configure MFA for Cisco AnyConnect

Real steps — the exact menus, fields, and values. Follow along in your console; the whole thing takes about 20 minutes.

1

Define Authnull as an AAA server group

Create a RADIUS AAA server group and add the Authnull connector as a host with your shared secret.

ASA config
aaa-server AUTHNULL protocol radius
aaa-server AUTHNULL (inside) host 10.0.0.20
  key <shared-secret>
  authentication-port 1812
2

Attach it to the tunnel-group

Point your AnyConnect tunnel-group at the new AAA server group for authentication.

ASA config
tunnel-group RA-VPN general-attributes
  authentication-server-group AUTHNULL
3

Increase the AAA timeout

Give the user time to approve the factor before the ASA gives up on the RADIUS response.

ASA config
aaa-server AUTHNULL (inside) host 10.0.0.20
  timeout 60
4

Apply to the group-policy

Ensure the connection profile uses the group-policy bound to this tunnel-group, then save the configuration.

5

Test the connection

Log in with AnyConnect using a test account. Expect a password prompt followed by an MFA challenge; approval establishes the tunnel.

Reference — connection values
ProtocolRADIUS
auth port1812
timeout60s
MethodPAP / push

Closes the MFA gap auditors look for

Enforcing MFA on Cisco AnyConnect gives you evidence for the remote-access and privileged-access controls in SOC 2 and the access requirements under CCPA — with per-login logs you can hand straight to an assessor.

Related integrations

Browse all
Fortinet FortiGateVPN & FirewallPalo Alto GlobalProtectVPNSonicWallVPN & FirewallWatchGuardVPN & Firewall

Add MFA to Cisco AnyConnect — free to start.

Spin up Authnull, point Cisco AnyConnect at it, and enforce a factor on a pilot group today. No card, no rip-and-replace.

Get in touch