Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Google Authenticator instead of RSA tokens for VPN access?

Posted on 2016-11-04
Medium Priority
Last Modified: 2016-11-17
I've been asked by management to look into this and see if it is possible.
I've never used Google Authenticator myself but was aware you could use it for secure access to google apps and some other third party sites.

I wasn't aware it could be used instead of VPN to access an enterprise network.
Management got this idea because they are using Google Authenticator for secure access to a third party site for a business service they use.

Their question is if we could use it to authenticate for remote access to our network. This would give them the same access they have now i.e to all PCs and servers in the network they need for their work.

I came across this article while looking into this:

#5 is listed as a serious concern. We have many, many servers so I imagine this would be a concern for us as well if true.

Our VPN access is currently managed by a Cisco ASA 5510.

Is this feasible to implement this on an Enterprise network? Where can I find documentation on getting this configured?
Question by:SeeDk
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 2
  • +1

Author Comment

ID: 41874558
So after some more research online, I've found that it's technically possible using a combination of FreeRADIUS + Cisco ASA.
I would configure FreeRADIUS to use Google Authenticator and then configure the ASA to use the FreeRADIUS server.

However, this seems to me like a lot of information is left out.
The installation of the FreeRADIUS looks too easy.
So, I just follow these steps...and automatically the server can authenticate requests into the enterprise network?

Maybe I am just not understanding (probably...) how the RADIUS server works.
So I will RTFM: to get a better idea.

In the meantime, I was wondering if someone could confirm this is how it basically works:

1. The FreeRadius server is already on the internal network.
2. By logging into the Freeradius server, you are as a result logged into the internal network.
3. Thus, you can access any internal network resources using your network credentials (in our case, mostly Windows with a few Linux)
4. The ASA will be accessible via the internet and , if configured to use the FreeRADIUS server for authentication, will allow steps 1 - 3 to be done remotely.

One more question for now, since our ASA is currently already configured to be using RSA token authentication with our RSA server:

Would I be able to enable the FreeRadius authentication as a secondary authentication 'profile' on the ASA while leaving the current one using RSA untouched?
So that I can test the FreeRadius+GoogleAuth access without impacting the RSA token access?

Edit: Forgot to mention we are using Cisco Anyconnect as the VPN client. Would I be able to add the GoogleAuth as a secondary profile on the ASA for Anyconnect while leaving the RSA setup untouched?
LVL 37

Expert Comment

ID: 41878060
Different groups can use different authentication methods
ACLs to restrict traffic can be applied to to each group

Author Comment

ID: 41878851
Hi ArneLovius,

Thanks for the reply, I've kept looking into this and can see better how it can be done.
Now I understand how RADIUS works, that it is only used to process authentication and the ASA would handle the access after receiving confirmation from the RADIUS.

So, I saw what you mentioned about different groups here as well:

My understanding from this is that I can create a different group but, as you said, they must use different authentication methods.

Ideally, I would have liked to create another 'remote access' group in addition to the current one set with RSA authentication.
Then, I could test the Google Auth 'remote access' group without impacting the RSA 'remote access' group.

But it looks like this is not possible?
I can only set up one 'remote access' group and then other groups must use different protocols (like Telnet)?
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

LVL 57

Expert Comment

by:Pete Long
ID: 41879556
I've spent all day getting Google Authenticator to work with FreeRADIUS - most of the online posts are well out of date.
I dont see why you couldn't have both this and RSA  -obviously you will require two different tunnel groups and authentication methods. Ill be posting how to get Google-Authenticator to work with FreeRADIUS and Anyconnect over the next few days. Once I get it written up'


Author Comment

ID: 41880540
Thanks Pete, I was able to get some helpful information on the Cisco forums which is saying this is possible.
I will try to make it work myself as well.
Have there been many changes since those articles were written?

Author Comment

ID: 41881358
Also, how secure is this compared to RSA tokens? Is it a comparable level of security our would this be less secure?
LVL 57

Accepted Solution

Pete Long earned 1000 total points
ID: 41881703
Hi I dont know whats going on with the commenting on this website at the moment?

Anyway - here are my findings, (hot off the presses) hopefully they will save you some stress!

Cisco AnyConnect – With Google Authenticator 2 Factor Authentication


LVL 37

Assisted Solution

ArneLovius earned 1000 total points
ID: 41884226
Google Authenticator is not as secure as an RSA/Duo/Yubikey, this is because you can also run the Google Authenticator on a desktop computer, which could be the computer with the AnyConnect client

It is however more secure than just a username and password.

Author Comment

ID: 41886389

Thanks for the handy guide. Went through setting up the FreeRADIUS server. Will move on to test on ASA soon. Just one thing missing from your guide, you only mention downloading the Google Autheniticator package from but the PAM module is in a different location
Both of these need to be downloaded, right?

Doesn't RSA also have a desktop client?

In that respect, security seems to be similar.
However, there is one other aspect I can think of that is less secure and might stop me from adopting it here...assigning the authenticator.

With RSA, I can assign a token and configure it so the user can create their own unique PIN...without any user interaction.

With Google Authenticator, the user needs to log into the server, set their password (PIN equivalent), and then run the 'google-authenticator' command to get their QR code for remote access.
Giving all users access to a critical server doesn't sound secure.
The alternative, having the admin set up the users passwords, isn't a good alternative either. Even like this though, the user would still be able to easily access the server if they are tech-savvy.

Is there a way to roll this out that doesn't involve giving the users server access?
LVL 37

Assisted Solution

ArneLovius earned 1000 total points
ID: 41886420
With RSA, I've always controlled enrolment of tokens, and not allowed "soft tokens", with Google Authenticator, the user self enrols

The Google Authenticator code has to be generated per user, either by an admin and provided to them "securely", or by the user. At the moment the only way of generating the code is via a SSH session, if you do not want to provide each user with SSH access to the Linux server (which I can completely understand), then you have two options, generate the code manually for each of them, or write (or have written) a web front end for the application that generates the code.

Author Comment

ID: 41886455
Thanks Arne, that essentially solves this question. I would not want users having SSH access to the server.
A web app, while possible, may be more trouble than it's worth.
LVL 37

Expert Comment

ID: 41891190
And somebody has written a a web front end for AD authenticated user self enrolment of Google Authenticator to use with freeradius

It's not "perfect", but its a lot easier then getting users to SSH to a linux box and run a command...

Expert Comment

by:Cornelius Kölbel
ID: 41891880
I would like to add some more information to privacyIDEA, which was mentioned by @ArneLovious. (As I am the core developer of privacyIDEA).
The idea here is not being a web front end but a full featured authentication server with a mighty policy framework and even an event handler framework.

You can connect your servers for privacyIDEA either via the privacyIDEA PAM module or a RADIUS PAM module.
All OTP (Google) tokens are managed in privacyIDEA.
The user can selfenroll the token (or the admin). The user can even get a simple enrollment wizard.

Kind regards

PS: Of course you are not restricted to use Google Authenticator. You can use any key fob token, SMS; email, Yubikey... ;-)

Featured Post

Optimum High-Definition Video Viewing and Control

The ATEN VM0404HA 4x4 4K HDMI Matrix Switch supports 4K resolutions of UHD (3840 x 2160) and DCI (4096 x 2160) with refresh rates of 30 Hz (4:4:4) and 60 Hz (4:2:0). It is ideal for applications where the routing of 4K digital signals is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
This Micro Tutorial demonstrates the importance of annotations in Google Analytics and how they should be used to document changes made to a site, Google updates (Ex: Panda & Penguin), marketing campaigns, and any other events that might have contri…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question