--- title: Configuring Cisco ASA VPN for PingID MFA description: Configure Cisco ASA VPN to work with PingID multi-factor authentication (MFA). component: pingid page_id: pingid:pingid_integrations:pid_configuring_cisco_asa_vpn_for_pid_mfa canonical_url: http://docs.pingidentity.com/pingid/pingid_integrations/pid_configuring_cisco_asa_vpn_for_pid_mfa.html revdate: June 10, 2024 section_ids: before-you-begin: Before you begin about-this-task: About this task steps: Steps result: Result: result-2: Result: result-3: Result: result-4: Result: result-5: Result: result-6: Result: --- # Configuring Cisco ASA VPN for PingID MFA Configure Cisco ASA VPN to work with PingID multi-factor authentication (MFA). ## Before you begin Configure the necessary settings in PingOne and PingFederate. ## About this task Configuring Cisco ASA for MFA involves the following steps: * Adding an AAA server group * Adding a Radius PCV server configuration * One or both of the following steps: * Configuring a clientless SSL VPN * Configuring the network client profile The following video describes the configuration process for your Cisco ASA VPN. **Video (Video)** <\_images/Configuring\_Cisco\_ASA\_VPN.mp4> ## Steps 1. In the Cisco ASDM client, create an AAA Server Group to manage the security required for the RADIUS PCV Server configuration. 1. In the Cisco ASDM client, click **Configuration**, and then click **Remote Access VPN**. ![A screen capture of the Configuration tab in the Cisco ASDM client.](_images/oxs1564020986157.jpg) 2. In the **Remote Access VPN** navigation tree, go to **AAA/Local Users → AAA Server Groups**. ![A screen capture of the Remote Access VPN navigation tree in the Cisco ASDM client. The AAA/Local User and AAS Server Groups sections are highlighted.](_images/hxc1564020986904.jpg) 3. In the **AAA Server Groups** pane, click **Add**. ![A screen capture of the AAA Server Groups pane in the Cisco ASDM client. A red rectangle highlights the Add button near the top right corner.](_images/wil1564020987513.jpg) ### Result: The **Add AAA Server Group** dialog box opens. ![A screen capture of the Add AAA Server Group dialog box in the Cisco ASDM client.](_images/vzm1564020988127.bmp) 4. Enter values for the following parameters: * **AAA Server Group**: Enter the new server group name. * **Protocol**: Select the `RADIUS` protocol. * Accept the default values for all other fields, as shown in the **AAA Server Group** dialog box. 5. Click **OK**. 2. Add a new RADIUS PCV server configuration to the server group that you just created. 1. In the **AAA Server Groups** pane, from the **Server Group** list, double-click the server group that you created in the previous step. ![A screen capture of the AAA Server Groups pane in the Cisco ASDM client.](_images/gqz1564020988742.png) 2. In the **Servers in the Selected Group** pane, click **Add**. ![A screen capture of the Servers in the Selected Group pane in the Cisco ASDM client. The Add button is circled.](_images/cvh1564020989408.jpg) ### Result: The **Add AAA Server** dialog box opens. ![A screen capture of the Add AAA Server dialog box in the Cisco ASDM client.](_images/ihs1564020989978.jpg) 3. Enter values for the following parameters: * **Server Name or IP Address:** Enter the IP address or server name of the PingFederate server that contains the RADIUS PCV server. * **Timeout:** Change the timeout value to 60 seconds. | | | | - | ------------------------------------------------------------------------------------- | | | This allows sufficient time for MFA to receive the necessary authentication approval. | * **Server Authentication Port:** Enter the port number configured in the RADIUS Server PCV. The default value is 1812. * **Server Accounting Port:** Enter the port number configured in the RADIUS Server PCV. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The **Server Accounting Port** number should be the next consecutive port following the port number configured for the **Server Authentication Port**. The default **Server Authentication Port** value is 1813. | * **Server Secret Key:** Enter the shared secret configured in the RADIUS Server PCV. 4. Click **OK**. 3. Configure a Clientless SSL VPN. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If you do not plan on using a clientless SSL VPN, you can skip to the next section, which provides instructions on configuring the network client profile. | This includes the following steps: * Configuring the connection profile by configuring the connection profile name, linking the AAA Server group to the Clientless SSL VPN profile, and selecting the related security policy. * Configuring the connection alias. * Configuring the group URL by defining the URL link that you provide to the user. The user enters the URL to sign on to the system through a browser. 1. In the **Remote Access VPN** navigation tree, go to **Clientless SSL VPN Access → Connection Profiles**. ![A screen capture of the Remote Access VPN navigation tree in the Cisco ASDM client.](_images/dhf1564020990526.jpg) 2. In the **Connection Profiles** section, click **Add**. ![A screen capture of the Connection Profiles section in the Cisco ASDM client. The Add button is circled.](_images/rih1564020991092.bmp) ### Result: The **Add Clientless SSL VPN Connection Profile** dialog box opens. ![A screen capture of the Add Clientless SSL VPN Connection Profile dialog box in the Cisco ASDM client.](_images/xrg1564020991688.bmp) 3. Enter values for the following parameters: * **Name**: Enter the relevant server name. * **Authentication Method**: Select `AAA`. * **AAA Server Group**: Select the server group that you created in step 1. 4. In the left pane, go to **Advanced → Clientless SSL VPN**. If the following message appears, click **Yes**. ![A screen capture of a "No DNS server defined" warning in the Cisco ASDM client.](_images/jls1564020992388.jpg) 5. In the **Connection Aliases** section, click **Add**. ![A screen capture of the Add Connection Alias dialog box in the Cisco ASDM client.](_images/bte1564020992946.bmp) 6. In the **Add Connection Alias** dialog box, enter a name in the **Alias** field. 7. Select the **Enabled** check box. Click **OK**. 8. In the **Group URLs** area, click **Add**. 9. In the **Add Group URL** dialog box, enter the server URL in the **URL** field. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | The group URL is the address you provide to the user to sign on to the Cisco VPN, and must have the format `https:///`. | 10. Select the **Enabled** check box, and then click **OK**. ### Result: The URL is added to the Group URLs list. ![A screen capture of the Add Clientless SSL VPN Connection Profile window in the Cisco ASDM client, showing a URL in the Group URLs list.](_images/klt1564020993731.bmp) 11. Click **OK**. 4. Configure the Network Client Profile to provide enough time for MFA to receive authentication approval. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If you carried out the steps in the previous section to configure a clientless SSL VPN, and do not plan on using a network client, you can skip the steps in this section. | 1. In the **Remote Access VPN** navigation tree, go to **Network (Client) Access → AnyConnect Client Profile**. 2. In the **AnyConnect Client Profile** pane, double-click the existing VPN profile. ![A screen capture of the AnyConnect Client Profile pane in the Cisco ASDM client.](_images/ddf1564020994556.bmp) 3. In the **Profile Tree**, select **Preferences (Part 2)**. ![A screen capture of the Preferences (Part 2) window in the Cisco ASDM client.](_images/mzu1564020995435.bmp) ### Result: The **Any Connection Profile Editor – PingID** dialog box opens. 4. Set the **Authentication Timeout (seconds)** field to `60`. Click **OK**. | | | | - | -------------------------------------------------------------------------------------------------------------------- | | | This allows sufficient time for MFA to receive the necessary authentication approval when working with IPSec client. | 5. In the **AnyConnect Client Profile** pane, click **Apply**. ### Result: The changes are applied and your configuration is complete.