Google Authenticator instead of RSA tokens for VPN access?

Posted on 2016-11-04
Last Modified: 2016-11-17
I've been asked by management to look into this and see if it is possible.
I've never used Google Authenticator myself but was aware you could use it for secure access to google apps and some other third party sites.

I wasn't aware it could be used instead of VPN to access an enterprise network.
Management got this idea because they are using Google Authenticator for secure access to a third party site for a business service they use.

Their question is if we could use it to authenticate for remote access to our network. This would give them the same access they have now i.e to all PCs and servers in the network they need for their work.

I came across this article while looking into this:

#5 is listed as a serious concern. We have many, many servers so I imagine this would be a concern for us as well if true.

Our VPN access is currently managed by a Cisco ASA 5510.

Is this feasible to implement this on an Enterprise network? Where can I find documentation on getting this configured?
Question by:SeeDk
  • 6
  • 4
  • 2
  • +1

Author Comment

ID: 41874558
So after some more research online, I've found that it's technically possible using a combination of FreeRADIUS + Cisco ASA.
I would configure FreeRADIUS to use Google Authenticator and then configure the ASA to use the FreeRADIUS server.

However, this seems to me like a lot of information is left out.
The installation of the FreeRADIUS looks too easy.
So, I just follow these steps...and automatically the server can authenticate requests into the enterprise network?

Maybe I am just not understanding (probably...) how the RADIUS server works.
So I will RTFM: to get a better idea.

In the meantime, I was wondering if someone could confirm this is how it basically works:

1. The FreeRadius server is already on the internal network.
2. By logging into the Freeradius server, you are as a result logged into the internal network.
3. Thus, you can access any internal network resources using your network credentials (in our case, mostly Windows with a few Linux)
4. The ASA will be accessible via the internet and , if configured to use the FreeRADIUS server for authentication, will allow steps 1 - 3 to be done remotely.

One more question for now, since our ASA is currently already configured to be using RSA token authentication with our RSA server:

Would I be able to enable the FreeRadius authentication as a secondary authentication 'profile' on the ASA while leaving the current one using RSA untouched?
So that I can test the FreeRadius+GoogleAuth access without impacting the RSA token access?

Edit: Forgot to mention we are using Cisco Anyconnect as the VPN client. Would I be able to add the GoogleAuth as a secondary profile on the ASA for Anyconnect while leaving the RSA setup untouched?
LVL 37

Expert Comment

ID: 41878060
Different groups can use different authentication methods
ACLs to restrict traffic can be applied to to each group

Author Comment

ID: 41878851
Hi ArneLovius,

Thanks for the reply, I've kept looking into this and can see better how it can be done.
Now I understand how RADIUS works, that it is only used to process authentication and the ASA would handle the access after receiving confirmation from the RADIUS.

So, I saw what you mentioned about different groups here as well:

My understanding from this is that I can create a different group but, as you said, they must use different authentication methods.

Ideally, I would have liked to create another 'remote access' group in addition to the current one set with RSA authentication.
Then, I could test the Google Auth 'remote access' group without impacting the RSA 'remote access' group.

But it looks like this is not possible?
I can only set up one 'remote access' group and then other groups must use different protocols (like Telnet)?
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

LVL 57

Expert Comment

by:Pete Long
ID: 41879556
I've spent all day getting Google Authenticator to work with FreeRADIUS - most of the online posts are well out of date.
I dont see why you couldn't have both this and RSA  -obviously you will require two different tunnel groups and authentication methods. Ill be posting how to get Google-Authenticator to work with FreeRADIUS and Anyconnect over the next few days. Once I get it written up'


Author Comment

ID: 41880540
Thanks Pete, I was able to get some helpful information on the Cisco forums which is saying this is possible.
I will try to make it work myself as well.
Have there been many changes since those articles were written?

Author Comment

ID: 41881358
Also, how secure is this compared to RSA tokens? Is it a comparable level of security our would this be less secure?
LVL 57

Accepted Solution

Pete Long earned 250 total points
ID: 41881703
Hi I dont know whats going on with the commenting on this website at the moment?

Anyway - here are my findings, (hot off the presses) hopefully they will save you some stress!

Cisco AnyConnect – With Google Authenticator 2 Factor Authentication


LVL 37

Assisted Solution

ArneLovius earned 250 total points
ID: 41884226
Google Authenticator is not as secure as an RSA/Duo/Yubikey, this is because you can also run the Google Authenticator on a desktop computer, which could be the computer with the AnyConnect client

It is however more secure than just a username and password.

Author Comment

ID: 41886389

Thanks for the handy guide. Went through setting up the FreeRADIUS server. Will move on to test on ASA soon. Just one thing missing from your guide, you only mention downloading the Google Autheniticator package from but the PAM module is in a different location
Both of these need to be downloaded, right?

Doesn't RSA also have a desktop client?

In that respect, security seems to be similar.
However, there is one other aspect I can think of that is less secure and might stop me from adopting it here...assigning the authenticator.

With RSA, I can assign a token and configure it so the user can create their own unique PIN...without any user interaction.

With Google Authenticator, the user needs to log into the server, set their password (PIN equivalent), and then run the 'google-authenticator' command to get their QR code for remote access.
Giving all users access to a critical server doesn't sound secure.
The alternative, having the admin set up the users passwords, isn't a good alternative either. Even like this though, the user would still be able to easily access the server if they are tech-savvy.

Is there a way to roll this out that doesn't involve giving the users server access?
LVL 37

Assisted Solution

ArneLovius earned 250 total points
ID: 41886420
With RSA, I've always controlled enrolment of tokens, and not allowed "soft tokens", with Google Authenticator, the user self enrols

The Google Authenticator code has to be generated per user, either by an admin and provided to them "securely", or by the user. At the moment the only way of generating the code is via a SSH session, if you do not want to provide each user with SSH access to the Linux server (which I can completely understand), then you have two options, generate the code manually for each of them, or write (or have written) a web front end for the application that generates the code.

Author Comment

ID: 41886455
Thanks Arne, that essentially solves this question. I would not want users having SSH access to the server.
A web app, while possible, may be more trouble than it's worth.
LVL 37

Expert Comment

ID: 41891190
And somebody has written a a web front end for AD authenticated user self enrolment of Google Authenticator to use with freeradius

It's not "perfect", but its a lot easier then getting users to SSH to a linux box and run a command...

Expert Comment

by:Cornelius Kölbel
ID: 41891880
I would like to add some more information to privacyIDEA, which was mentioned by @ArneLovious. (As I am the core developer of privacyIDEA).
The idea here is not being a web front end but a full featured authentication server with a mighty policy framework and even an event handler framework.

You can connect your servers for privacyIDEA either via the privacyIDEA PAM module or a RADIUS PAM module.
All OTP (Google) tokens are managed in privacyIDEA.
The user can selfenroll the token (or the admin). The user can even get a simple enrollment wizard.

Kind regards

PS: Of course you are not restricted to use Google Authenticator. You can use any key fob token, SMS; email, Yubikey... ;-)

Featured Post

Don't miss ATEN at NAB Show April 24-27!

Visit ATEN at NAB Show to learn how our "Seamlessly Entertaining" solutions deliver fast, precise video streaming without delays for the broadcasting and media environment. ATEN will showcase its 16x16 Modular Matrix Switch (VM1600) and KVM Over IP Solution (KE6900 series).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Google Tag Manager - Add Trigger Using Div class 22 56
Cisco Wireless Access Controller 3 34
Layer 3 switch recommendation 15 52
AD Design Best Practices 6 35
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
SEO can be a real minefield to navigate, but there are three simple ways to up your SEO game just be re-assessing your content output.
Shows how to create a shortcut to site-search Experts Exchange using Google in the Chrome browser. This eliminates the need to type out whenever you want to search the site. Launch the Search Engine Menu: In chrome, via you…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question