Skip to main content

Cisco VPN AnyConnect RADIUS integration

Multi-Factor Authentication (MFA) is an extra layer of security used when logging into websites or apps. Individuals are authenticated through more than one required security and validation procedure that only they know or have access to.

Remote Authentication Dial-In User Service (RADIUS) is a protocol commonly used to authenticate, authorize, and account for user access and actions.

Arculix by SecureAuth offers a simple solution for adding MFA to Cisco AnyConnect VPN via its RADIUS Agent. This step-by-step guide illustrates how to integrate Cisco AnyConnect VPN on Cisco ASA with Arculix.


  • A previously set up Cisco VPN ASA with a working configuration.

  • Arculix RADIUS Agent that is configured and connected to your user directory. For example, Microsoft Active Directory (AD).

    For more information, see the Arculix RADIUS Agent deployment guide.

  • User account with administrative privileges for the Cisco ASA device.

Arculix RADIUS Agent configuration

To integrate Arculix with your Cisco ASA, you will need to install an Arculix RADIUS Agent on a machine within your network. This server will receive RADIUS requests from your Cisco ASA, check with the LDAP server to perform primary authentication, and then contact Arculix cloud service for secondary authentication.

Follow these steps to configure the Arculix RADIUS Agent.

  1. Log in to the Arculix RADIUS Agent as an administrator.

  2. Open the radius-agent-config.env file with an editor.

    The file is located in the installed directory of RADIUS Agent. RADIUS clients are configured in this setting.

    Acceptto RADIUS agent
  3. At the end of the radius-agent-config.env file, set the following configuration for the ARA_CLIENTS attribute:


    The values should be separated by semicolons (;).

    ARA_CLIENTS = <An optional name for your CiscoASA>; <Internal IP address of your CiscoASA>; <a shared secret>

    For example, set:

    ARA_CLIENTS = Cisco;;testing12345
    ARA_CLIENTS configuration
  4. Save the file.

  5. Run the following command to apply the changes:

    docker-compose down && docker-compose up -d

Cisco ASA configuration for AnyConnect VPN and RADIUS

In this section, you'll configure Cisco AnyConnect as a service provider (SP).

  1. Log in to the Cisco ASA administration interface with an administrative user account.

  2. Go to the AAA Server Groups.

  3. Click Add to add a server group.

  4. In the Add AAA Server Group section, set the following:

    AAA Server Group

    Set to a unique name.

    For example, Arculix2.


    Set to RADIUS.

  5. Click OK.

Server Group configuration

  1. Click the AAA Server Group created in the Cisco ASA configuration for AnyConnect VPN and RADIUS section.

    For example, Arculix2.

  2. In the Add AAA Server section, set the following:

    Interface Name

    Set to Management.

    Server Name or IP Address

    Enter the IP Address of Your Arculix RADIUS Agent.


    Enter a value in seconds.

    The recommended value is 90 seconds.

    Server Authentication Port

    Set to 1812.

    Server Accounting Port

    Set to 1813.

    Retry Interval

    Set to 10 seconds.

    Server Secret Key

    Enter the same Shared Secret set in the Arculix RADIUS Agent.

    Microsoft CHAPv2 Capable

    Select the check box to enable.

  3. Click OK.

  4. To verify connectivity to the Arculix RADIUS Agent, select the AAA server and click Test.

  5. The Test AAA Server dialog appears. Select Authentication.

  6. Enter the user population that is going to be authenticated via RADIUS.

  7. A message will be sent to the Arculix Mobile app of the user for approval. Then, a pop-up window informs you if the test was successful or failed.


Set the SSL VPN Authentication Method to Arculix RADIUS

  1. Go to the Network (Client) Access section and select AnyConnect Connection Profiles.

  2. Click the connection profile that you want to add MFA authentication to.

    For example, TunnelGroup2.

  3. Click Edit.

  4. Click Basic and in the Authentication > AAA Server Group section, select the AAA Server Group created in the Cisco ASA configuration for AnyConnect VPN and RADIUS section.

    For example, Arculix2.

  5. Clear the Use LOCAL if Server Group fails check box.

  6. Click OK, then click Apply.

  7. Click Save to write all changes to the ASA device memory.


    Set the following setting If you want to give the user enough time to approve push notification:

    1. In the Configuration section, select Remote Access VPN.

    2. Click Network (Client) Access and go to AnyConnect Client Profile.

    3. Click Edit.

    4. In the Preferences (Part2) section, find Authentication Timeout (seconds) and set to 60.

    5. Click OK , then click Apply to activate settings.


Test your application integration

  1. Enter your VPN Server address on Cisco AnyConnect Client and click Connect.

  2. Enter your username and password.

  3. You will receive a push notification on your Arculix Mobile application to authorize access to your VPN.



If you have questions or need assistance, contact SecureAuth Support.


Want to learn more about our MFA solutions? Contact our Professional Services for a demo today.


All product names, trademarks, and registered trademarks are the property of their respective owners.

All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the SecureAuth Corporation.

Cisco are either registered trademarks or trademarks of Cisco, Inc. and/or one or more of its subsidiaries in the United States and/or other countries.

Microsoft and Active Directory are either registered trademarks or trademarks of Microsoft and/or one or more of its subsidiaries in the United States and/or other countries.