Google Authenticator instead of RSA tokens for VPN access?

I've been asked by management to look into this and see if it is possible.
I've never used Google Authenticator myself but was aware you could use it for secure access to google apps and some other third party sites.

I wasn't aware it could be used instead of VPN to access an enterprise network.
Management got this idea because they are using Google Authenticator for secure access to a third party site for a business service they use.

Their question is if we could use it to authenticate for remote access to our network. This would give them the same access they have now i.e to all PCs and servers in the network they need for their work.

I came across this article while looking into this:

#5 is listed as a serious concern. We have many, many servers so I imagine this would be a concern for us as well if true.

Our VPN access is currently managed by a Cisco ASA 5510.

Is this feasible to implement this on an Enterprise network? Where can I find documentation on getting this configured?
Who is Participating?

Improve company productivity with a Business Account.Sign Up

Pete LongConnect With a Mentor Technical ConsultantCommented:
Hi I dont know whats going on with the commenting on this website at the moment?

Anyway - here are my findings, (hot off the presses) hopefully they will save you some stress!

Cisco AnyConnect – With Google Authenticator 2 Factor Authentication


SeeDkAuthor Commented:
So after some more research online, I've found that it's technically possible using a combination of FreeRADIUS + Cisco ASA.
I would configure FreeRADIUS to use Google Authenticator and then configure the ASA to use the FreeRADIUS server.

However, this seems to me like a lot of information is left out.
The installation of the FreeRADIUS looks too easy.
So, I just follow these steps...and automatically the server can authenticate requests into the enterprise network?

Maybe I am just not understanding (probably...) how the RADIUS server works.
So I will RTFM: to get a better idea.

In the meantime, I was wondering if someone could confirm this is how it basically works:

1. The FreeRadius server is already on the internal network.
2. By logging into the Freeradius server, you are as a result logged into the internal network.
3. Thus, you can access any internal network resources using your network credentials (in our case, mostly Windows with a few Linux)
4. The ASA will be accessible via the internet and , if configured to use the FreeRADIUS server for authentication, will allow steps 1 - 3 to be done remotely.

One more question for now, since our ASA is currently already configured to be using RSA token authentication with our RSA server:

Would I be able to enable the FreeRadius authentication as a secondary authentication 'profile' on the ASA while leaving the current one using RSA untouched?
So that I can test the FreeRadius+GoogleAuth access without impacting the RSA token access?

Edit: Forgot to mention we are using Cisco Anyconnect as the VPN client. Would I be able to add the GoogleAuth as a secondary profile on the ASA for Anyconnect while leaving the RSA setup untouched?
Different groups can use different authentication methods
ACLs to restrict traffic can be applied to to each group
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

SeeDkAuthor Commented:
Hi ArneLovius,

Thanks for the reply, I've kept looking into this and can see better how it can be done.
Now I understand how RADIUS works, that it is only used to process authentication and the ASA would handle the access after receiving confirmation from the RADIUS.

So, I saw what you mentioned about different groups here as well:

My understanding from this is that I can create a different group but, as you said, they must use different authentication methods.

Ideally, I would have liked to create another 'remote access' group in addition to the current one set with RSA authentication.
Then, I could test the Google Auth 'remote access' group without impacting the RSA 'remote access' group.

But it looks like this is not possible?
I can only set up one 'remote access' group and then other groups must use different protocols (like Telnet)?
Pete LongTechnical ConsultantCommented:
I've spent all day getting Google Authenticator to work with FreeRADIUS - most of the online posts are well out of date.
I dont see why you couldn't have both this and RSA  -obviously you will require two different tunnel groups and authentication methods. Ill be posting how to get Google-Authenticator to work with FreeRADIUS and Anyconnect over the next few days. Once I get it written up'

SeeDkAuthor Commented:
Thanks Pete, I was able to get some helpful information on the Cisco forums which is saying this is possible.
I will try to make it work myself as well.
Have there been many changes since those articles were written?
SeeDkAuthor Commented:
Also, how secure is this compared to RSA tokens? Is it a comparable level of security our would this be less secure?
ArneLoviusConnect With a Mentor Commented:
Google Authenticator is not as secure as an RSA/Duo/Yubikey, this is because you can also run the Google Authenticator on a desktop computer, which could be the computer with the AnyConnect client

It is however more secure than just a username and password.
SeeDkAuthor Commented:

Thanks for the handy guide. Went through setting up the FreeRADIUS server. Will move on to test on ASA soon. Just one thing missing from your guide, you only mention downloading the Google Autheniticator package from but the PAM module is in a different location
Both of these need to be downloaded, right?

Doesn't RSA also have a desktop client?

In that respect, security seems to be similar.
However, there is one other aspect I can think of that is less secure and might stop me from adopting it here...assigning the authenticator.

With RSA, I can assign a token and configure it so the user can create their own unique PIN...without any user interaction.

With Google Authenticator, the user needs to log into the server, set their password (PIN equivalent), and then run the 'google-authenticator' command to get their QR code for remote access.
Giving all users access to a critical server doesn't sound secure.
The alternative, having the admin set up the users passwords, isn't a good alternative either. Even like this though, the user would still be able to easily access the server if they are tech-savvy.

Is there a way to roll this out that doesn't involve giving the users server access?
ArneLoviusConnect With a Mentor Commented:
With RSA, I've always controlled enrolment of tokens, and not allowed "soft tokens", with Google Authenticator, the user self enrols

The Google Authenticator code has to be generated per user, either by an admin and provided to them "securely", or by the user. At the moment the only way of generating the code is via a SSH session, if you do not want to provide each user with SSH access to the Linux server (which I can completely understand), then you have two options, generate the code manually for each of them, or write (or have written) a web front end for the application that generates the code.
SeeDkAuthor Commented:
Thanks Arne, that essentially solves this question. I would not want users having SSH access to the server.
A web app, while possible, may be more trouble than it's worth.
And somebody has written a a web front end for AD authenticated user self enrolment of Google Authenticator to use with freeradius

It's not "perfect", but its a lot easier then getting users to SSH to a linux box and run a command...
Cornelius KölbelCommented:
I would like to add some more information to privacyIDEA, which was mentioned by @ArneLovious. (As I am the core developer of privacyIDEA).
The idea here is not being a web front end but a full featured authentication server with a mighty policy framework and even an event handler framework.

You can connect your servers for privacyIDEA either via the privacyIDEA PAM module or a RADIUS PAM module.
All OTP (Google) tokens are managed in privacyIDEA.
The user can selfenroll the token (or the admin). The user can even get a simple enrollment wizard.

Kind regards

PS: Of course you are not restricted to use Google Authenticator. You can use any key fob token, SMS; email, Yubikey... ;-)
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.