Secure Cisco ASDM with MFA?


We need to setup our Cisco firewall with MFA. Everything I am reading refers to Cisco AnyConnect, which we do not use. Can Duo be used with to setup ASDM with MFA? Any tips would be appreciated.

Thank you,

Hi @NVLady,

I’m not sure about protecting ASDM. You can protect access to the ASA directly using the Duo RADIUS integration, so long as your ASA is authenticating with an Active Directory or Radius server that is not on the ASA itself. For anyone reading, Cisco Adaptive Security Device Manager (ASDM) lets you manage Adaptive Security Appliance (ASA) firewalls. I made the assumption you are using ASA, just not the AnyConnect client to connect? Please correct me if I’m wrong :slight_smile:

You might want to check out the Cisco community for help, too. I found this thread on how to configure 2FA for ASDM on ASA 5512-X that seems useful here. You can also contact our Duo Support team or the Cisco Support team

Thank you for your response. :slight_smile: We currently use radius authentication with AD/ISE. We have a mandate to use dual factor authentication when logging into the Cisco ASDM to administer the device. Ultimately, we would like to use this for authenticating to all of our other network devices.

We do not use AnyConnect with the device in questions. This would just be for device management.

Thanks again! :slight_smile:

Ok, I consulted with Product Manager @lgreer, so full credit for the answer goes to him :smile:

The ASDM login can be protected with a few different forms of authentication. RADIUS is one of them, so the generic RADIUS documentation with the Duo Authentication Proxy is a solid option. That being said, since you have ISE in the mix, you can add the Duo Auth Proxy to your ISE authentication flow instead, and then any device that uses the ISE as the AAA server will, in turn, have Duo. Based on your latest post, the ISE Duo docs would probably be the best path forward.

You have two options though:

  1. Protect the ASDM directly with the Duo AuthProxy via RADIUS in conjunction with the generic RADIUS docs.
Authenticating Cisco ASDM Connections
Complete the following steps to configure authentication for ASDM administrative connections to the Cisco ASA using ASDM:
Step 1. Log in to ASDM and navigate to Configuration > Device Management > Users/AAA > AAA Access > Authentication.
Step 2. Select HTTP/ASDM under the Require Authentication for the Following Types of Connections section.
Step 3. In this example, the RADIUS server previously configured in the AAA server group (my-radius-group) is used for authentication.
Step 4. If you would like to fall back to the local user database in case the RADIUS server fails, select Use LOCAL when Server Group Fails.
Step 5. Click OK.
Step 6. Click Apply to apply the configuration changes.
Step 7. Click Save to save the configuration in the Cisco ASA. 
  1. Use the Duo Cisco ISE docs and add the option for Duo 2FA on any network device that utilizes ISE as its AAA server.
1 Like

This is wonderful!! Thank you both very much for the time and effort you put in to getting this information for me. I very much appreciate it.

1 Like