{"id":16862,"date":"2026-05-26T11:37:53","date_gmt":"2026-05-26T11:37:53","guid":{"rendered":"https:\/\/www.protectimus.com\/?page_id=16862"},"modified":"2026-06-03T16:51:05","modified_gmt":"2026-06-03T16:51:05","slug":"mfa-for-cisco-anyconnect","status":"publish","type":"page","link":"https:\/\/www.protectimus.com\/uk\/mfa-for-cisco-anyconnect\/","title":{"rendered":"MFA for Cisco AnyConnect"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-page\" data-elementor-id=\"16862\" class=\"elementor elementor-16862\" data-elementor-post-type=\"page\">\n\t\t\t\t<div class=\"elementor-element elementor-element-223acb9 padded e-flex e-con-boxed e-con e-parent\" data-id=\"223acb9\" data-element_type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-e4740cc elementor-widget elementor-widget-heading\" data-id=\"e4740cc\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h1 class=\"elementor-heading-title elementor-size-default\">MFA for Cisco AnyConnect: Complete Guide to Securing VPN Access 2026<\/h1>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-b4a66c0 e-con-full e-flex e-con e-child\" data-id=\"b4a66c0\" data-element_type=\"container\">\n\t\t<div class=\"elementor-element elementor-element-0870f66 e-con-full e-flex e-con e-child\" data-id=\"0870f66\" data-element_type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-e128a97 elementor-widget elementor-widget-text-editor\" data-id=\"e128a97\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">Cisco AnyConnect handles remote access for millions of enterprise users \u2014 and it has no native second-factor enforcement. The client passes credentials to whatever authentication backend the ASA or Firepower device is configured to use. If that backend validates only a username and password, the VPN session opens on a stolen credential just as readily as on a legitimate one.<\/span><\/p><p><span style=\"font-weight: 400;\">According to the <\/span><a target=\"_blank\" target=\"_blank\" href=\"https:\/\/www.verizon.com\/business\/resources\/reports\/dbir\/\"><span style=\"font-weight: 400;\">Verizon 2026 Data Breach Investigations Report<\/span><\/a><span style=\"font-weight: 400;\"> and multiple <\/span><a target=\"_blank\" target=\"_blank\" href=\"https:\/\/www.cisa.gov\/news-events\/cybersecurity-advisories\"><span style=\"font-weight: 400;\">CISA ransomware advisories<\/span><\/a><span style=\"font-weight: 400;\">, VPN compromise remains one of the primary ransomware initial access vectors observed across 2024\u20132026 campaigns, including operations linked to Akira, LockBit, and Black Basta. The attack path is rarely sophisticated: harvest credentials through phishing or infostealers, identify the AnyConnect gateway, authenticate, and establish persistence. The only reliable barrier is a second authentication factor that cannot be reused alongside stolen credentials.<\/span><\/p><p><span style=\"font-weight: 400;\">This guide explains how to implement <\/span><b>MFA for Cisco AnyConnect<\/b><span style=\"font-weight: 400;\"> using RADIUS-based authentication, what authentication methods are available, how deployment works in both cloud and on-premise environments, and which compliance frameworks the architecture supports.<\/span><\/p><p><b>Quick Answer: <\/b><b>Cisco AnyConnect MFA<\/b><span style=\"font-weight: 400;\"> is implemented by configuring the ASA or Firepower device to forward authentication requests to a RADIUS server. The Protectimus RADIUS Server sits between the ASA and the Protectimus authentication platform: it receives the request on UDP port 1812, validates the primary credential against your directory, and verifies the OTP with the Protectimus platform before returning Access-Accept or Access-Reject to the ASA. Users authenticate using the Protectimus SMART OTP app, a hardware token, or OTP delivery via chatbot \u2014 typically by entering the OTP in a secondary challenge prompt.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-20c72f6 elementor-widget elementor-widget-html\" data-id=\"20c72f6\" data-element_type=\"widget\" data-widget_type=\"html.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<script type=\"application\/ld+json\">\r\n{\r\n  \"@context\": \"https:\/\/schema.org\",\r\n  \"@type\": \"BreadcrumbList\",\r\n  \"itemListElement\": [\r\n    {\r\n      \"@type\": \"ListItem\",\r\n      \"position\": 1,\r\n      \"name\": \"Home\",\r\n      \"item\": \"https:\/\/protectimus.com\/\"\r\n    },\r\n    {\r\n      \"@type\": \"ListItem\",\r\n      \"position\": 2,\r\n      \"name\": \"Solutions\",\r\n      \"item\": \"https:\/\/protectimus.com\/solutions\/\"\r\n    },\r\n    {\r\n      \"@type\": \"ListItem\",\r\n      \"position\": 3,\r\n      \"name\": \"MFA for Cisco AnyConnect\",\r\n      \"item\": \"https:\/\/protectimus.com\/mfa-for-cisco-anyconnect\/\"\r\n    }\r\n  ]\r\n}\r\n<\/script>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-42bfc14 e-con-full e-flex e-con e-child\" data-id=\"42bfc14\" data-element_type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-6818e9e elementor-widget elementor-widget-heading\" data-id=\"6818e9e\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">Table of Contents<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-282e74f elementor-widget elementor-widget-text-editor\" data-id=\"282e74f\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<ol><li style=\"font-weight: 400;\" aria-level=\"1\"><a href=\"#why-mfa\">Why Cisco AnyConnect Needs MFA in 2026<\/a><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><a href=\"#how-it-works\"><span style=\"font-weight: 400;\">How MFA for Cisco AnyConnect Works<\/span><\/a><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><a href=\"#mfa-methods\"><span style=\"font-weight: 400;\">Supported MFA Methods<\/span><\/a><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><a href=\"#setup\">Step-by-Step Setup Guide<\/a><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><a href=\"#deployment\">Deployment Options: Cloud vs On-Premise<\/a><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><a href=\"#comparison\">Protectimus vs Cisco Duo for AnyConnect<\/a><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><a href=\"#compliance\">Compliance and Use Cases<\/a><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><a href=\"#troubleshooting\">Troubleshooting Common Issues<\/a><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><a href=\"#faq\"><span style=\"font-weight: 400;\">FAQ<\/span><\/a><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><a href=\"#conclusion\">Conclusion<\/a><\/li><\/ol>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-cdef92e padded e-flex e-con-boxed e-con e-parent\" data-id=\"cdef92e\" data-element_type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-56c84d1 elementor-widget elementor-widget-heading\" data-id=\"56c84d1\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Key facts\n<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-bff780b elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"bff780b\" data-element_type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-d391a8f e-grid e-con-boxed e-con e-child\" data-id=\"d391a8f\" data-element_type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t<div class=\"elementor-element elementor-element-64a96a2 border-left e-flex e-con-boxed e-con e-child\" data-id=\"64a96a2\" data-element_type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-4dfef98 elementor-widget elementor-widget-heading\" data-id=\"4dfef98\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">99.9% of attacks blocked by MFA<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-0cc1bea elementor-widget elementor-widget-heading\" data-id=\"0cc1bea\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-heading-title elementor-size-default\">Microsoft<\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-f5e29e2 elementor-widget elementor-widget-text-editor\" data-id=\"f5e29e2\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">Microsoft reports that MFA blocks over 99.9% of account compromise attacks \u2014 the single highest-impact control against credential-based intrusions (<\/span><a target=\"_blank\" target=\"_blank\" href=\"https:\/\/www.microsoft.com\/en-us\/corporate-responsibility\/cybersecurity\/microsoft-digital-defense-report-2025\/\"><span style=\"font-weight: 400;\">Microsoft Digital Defense Report<\/span><\/a><span style=\"font-weight: 400;\">)<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-f5947b8 border-left e-flex e-con-boxed e-con e-child\" data-id=\"f5947b8\" data-element_type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-fa74c1f elementor-hidden-desktop elementor-hidden-tablet elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"fa74c1f\" data-element_type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-47e43b7 elementor-widget elementor-widget-heading\" data-id=\"47e43b7\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">$4.4M average breach cost in 2026<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-fb629a4 elementor-widget elementor-widget-heading\" data-id=\"fb629a4\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-heading-title elementor-size-default\">IBM <\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-8085769 elementor-widget elementor-widget-text-editor\" data-id=\"8085769\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">The global average cost of a data breach reached $4.44 million in 2025, while US organizations hit an all-time high of $10.22 million (<\/span><a target=\"_blank\" target=\"_blank\" href=\"https:\/\/www.ibm.com\/reports\/data-breach\"><span style=\"font-weight: 400;\">IBM Cost of a Data Breach Report 2025<\/span><\/a><span style=\"font-weight: 400;\">)<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-c6c866e elementor-hidden-desktop elementor-hidden-tablet elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"c6c866e\" data-element_type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-5c0d1fa border-left e-flex e-con-boxed e-con e-child\" data-id=\"5c0d1fa\" data-element_type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-d45db87 elementor-widget elementor-widget-heading\" data-id=\"d45db87\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">87% of ransomware claims start at remote access<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-344d455 elementor-widget elementor-widget-heading\" data-id=\"344d455\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-heading-title elementor-size-default\">Coalition<\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-3a4d317 elementor-widget elementor-widget-text-editor\" data-id=\"3a4d317\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Coalition&#8217;s Cyber Claims Report found remote access services served as the entry point for 87% of ransomware claims, with VPN compromises alone responsible for 73% of intrusions where an entry vector was identified.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-0ae1e9a padded e-flex e-con-boxed e-con e-parent\" data-id=\"0ae1e9a\" data-element_type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-e899921 elementor-widget elementor-widget-heading\" data-id=\"e899921\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Key Takeaways<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-86d1b8b elementor-widget elementor-widget-spacer\" data-id=\"86d1b8b\" data-element_type=\"widget\" data-widget_type=\"spacer.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-spacer\">\n\t\t\t<div class=\"elementor-spacer-inner\"><\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-9d5e935 e-grid e-con-full e-con e-child\" data-id=\"9d5e935\" data-element_type=\"container\">\n\t\t<div class=\"elementor-element elementor-element-12e9470 e-con-full e-flex e-con e-child\" data-id=\"12e9470\" data-element_type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-8644d62 elementor-widget elementor-widget-image\" data-id=\"8644d62\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" width=\"57\" height=\"56\" src=\"https:\/\/www.protectimus.com\/wp-content\/uploads\/2026\/05\/plat_new.svg\" class=\"attachment-full size-full wp-image-16521\" alt=\"On-premise MFA platform icon\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-317cba7 elementor-widget elementor-widget-heading\" data-id=\"317cba7\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">RADIUS-Based Integration<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d96a026 elementor-widget elementor-widget-text-editor\" data-id=\"d96a026\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">Cisco AnyConnect has no native MFA \u2014 second-factor enforcement requires a RADIUS server handling authentication on behalf of the ASA or Firepower device<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-68b5ae8 e-con-full e-flex e-con e-child\" data-id=\"68b5ae8\" data-element_type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-8b57400 elementor-widget elementor-widget-image\" data-id=\"8b57400\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" width=\"56\" height=\"56\" src=\"https:\/\/www.protectimus.com\/wp-content\/uploads\/2024\/03\/icon-shield-56.svg\" class=\"attachment-full size-full wp-image-5812\" alt=\"On-Prem MFA Platform icon\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-767e2aa elementor-widget elementor-widget-heading\" data-id=\"767e2aa\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">Zero Client-Side Changes<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d73153e elementor-widget elementor-widget-text-editor\" data-id=\"d73153e\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">Protectimus RADIUS Server proxies authentication requests between the ASA (UDP 1812) and the Protectimus platform \u2014 no changes to the AnyConnect client or VPN tunnel configuration required<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-9d3b5b8 e-con-full e-flex e-con e-child\" data-id=\"9d3b5b8\" data-element_type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-89d54f8 elementor-widget elementor-widget-image\" data-id=\"89d54f8\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" width=\"56\" height=\"56\" src=\"https:\/\/www.protectimus.com\/wp-content\/uploads\/2024\/02\/icon-srv.svg\" class=\"attachment-full size-full wp-image-5733\" alt=\"Protectimus Windows &amp; RDP MFA integration icon\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-f7f585d elementor-widget elementor-widget-heading\" data-id=\"f7f585d\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">6 Second-Factor Methods<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-aff0db8 elementor-widget elementor-widget-text-editor\" data-id=\"aff0db8\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">Supported second factors: TOTP app (Protectimus SMART), hardware tokens (Slim NFC, TWO, FLEX, SHARK), chatbot OTP via Telegram\/Viber\/Facebook, SMS, email<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-9ddacc7 e-con-full e-flex e-con e-child\" data-id=\"9ddacc7\" data-element_type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-82d1654 elementor-widget elementor-widget-image\" data-id=\"82d1654\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"56\" height=\"40\" src=\"https:\/\/www.protectimus.com\/wp-content\/uploads\/2024\/03\/icon-cloud-56.svg\" class=\"attachment-full size-full wp-image-5811\" alt=\"Cloud-Based MFA Service icon\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-eb78c60 elementor-widget elementor-widget-heading\" data-id=\"eb78c60\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">Cloud or Fully On-Premise<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-ee318b2 elementor-widget elementor-widget-text-editor\" data-id=\"ee318b2\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">Both cloud (SaaS) and fully on-premise deployment are available \u2014 on-premise requires no external connectivity and supports air-gapped environments<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-cb9fab9 e-con-full e-flex e-con e-child\" data-id=\"cb9fab9\" data-element_type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-1b3c387 elementor-widget elementor-widget-image\" data-id=\"1b3c387\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"64\" height=\"64\" src=\"https:\/\/www.protectimus.com\/wp-content\/uploads\/2024\/07\/clock.svg\" class=\"attachment-full size-full wp-image-10665\" alt=\"Time-Controlled Resource Access icon\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-84c6048 elementor-widget elementor-widget-heading\" data-id=\"84c6048\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">Granular Group-Based Rollout<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-1abcc56 elementor-widget elementor-widget-text-editor\" data-id=\"1abcc56\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">MFA can be scoped to specific connection profiles or user groups via AAA server group assignment and RADIUS filter attributes<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-7c15682 e-con-full e-flex e-con e-child\" data-id=\"7c15682\" data-element_type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-ffb514c elementor-widget elementor-widget-image\" data-id=\"ffb514c\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"64\" height=\"64\" src=\"https:\/\/www.protectimus.com\/wp-content\/uploads\/2024\/07\/clock.svg\" class=\"attachment-full size-full wp-image-10665\" alt=\"Time-Controlled Resource Access icon\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-3382fca elementor-widget elementor-widget-heading\" data-id=\"3382fca\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">Audit-Ready Compliance<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-785b26a elementor-widget elementor-widget-text-editor\" data-id=\"785b26a\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">Implementation helps organizations meet MFA requirements in PCI DSS v4.0, HIPAA, NIST SP 800-63B, SOC 2, and ISO 27001<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-30a9584 elementor-widget elementor-widget-spacer\" data-id=\"30a9584\" data-element_type=\"widget\" data-widget_type=\"spacer.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-spacer\">\n\t\t\t<div class=\"elementor-spacer-inner\"><\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-5b50e5c padded e-flex e-con-boxed e-con e-parent\" data-id=\"5b50e5c\" data-element_type=\"container\" id=\"why-mfa\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t<div class=\"elementor-element elementor-element-28b1e56 e-con-full e-flex e-con e-child\" data-id=\"28b1e56\" data-element_type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-a6f90e4 elementor-widget elementor-widget-heading\" data-id=\"a6f90e4\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Why Cisco AnyConnect Needs MFA in 2026<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9d2498b elementor-widget elementor-widget-text-editor\" data-id=\"9d2498b\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><b>Password-only AnyConnect authentication is a documented ransomware initial access vector \u2014 stolen VPN credentials are actively traded and exploited at scale.<\/b><\/p><p><span style=\"font-weight: 400;\">The credential theft pipeline for VPN access is industrialized. Infostealer malware \u2014 RedLine, Lumma, Vidar, and similar \u2014 specifically targets browser-saved credentials and VPN client configuration files. Harvested credentials are packaged with the associated VPN gateway hostname and sold within hours of collection. An attacker purchasing a credential log from a compromised endpoint in your organization already has the AnyConnect server address, the username, and the password. <\/span><b>Two-factor authentication for Cisco AnyConnect<\/b><span style=\"font-weight: 400;\"> is the only control that makes those credentials unusable.<\/span><\/p><p><span style=\"font-weight: 400;\">Coalition&#8217;s Cyber Claims Report found that remote access services served as the entry point for 87% of ransomware claims, with VPN compromises alone responsible for 73% of ransomware intrusions where an entry vector was identified \u2014 up from 38% in 2023 and 66% in 2024. The increase is not incidental. Ransomware operators have shifted toward identity-based initial access precisely because it generates less noise than vulnerability exploitation and scales more efficiently with automated tooling.\u00a0<\/span><\/p><h3><span style=\"font-weight: 400;\">The specific attack patterns targeting AnyConnect environments:<\/span><\/h3><p><b>Credential stuffing.<\/b><span style=\"font-weight: 400;\"> Verizon&#8217;s analysis of SSO provider logs found that credential stuffing accounted for 19% of all authentication attempts on a median daily basis. The same pattern applies to VPN gateways. Attacks run at low velocity to avoid lockout triggers, testing breach-compiled credential lists against the AnyConnect endpoint continuously.<\/span><\/p><p><b>Brute force.<\/b><span style=\"font-weight: 400;\"> Cisco ASA and Firepower gateways with weak or default account lockout policies are continuously scanned. CISA has issued multiple advisories specifically addressing credential stuffing campaigns by state-sponsored threat actors against Cisco ASA VPN infrastructure.<\/span><\/p><p><b>AiTM session token theft.<\/b><span style=\"font-weight: 400;\"> For deployments using push-based MFA, Tycoon2FA and similar adversary-in-the-middle toolkits capture session tokens in real time during authentication. TOTP-based codes that expire every 30 seconds are significantly more resistant because the replay window is extremely limited \u2014 a captured TOTP is worthless before it can be replayed.<\/span><\/p><p><b>Infostealer harvest.<\/b><span style=\"font-weight: 400;\"> A single compromised endpoint can exfiltrate saved VPN credentials, Cisco AnyConnect profile XML files, and \u2014 for push-based MFA implementations \u2014 session cookies valid for hours or days. TOTP-based <\/span><b>Cisco AnyConnect 2FA<\/b><span style=\"font-weight: 400;\"> limits the window of exposure to the token&#8217;s time step.<\/span><\/p><p><span style=\"font-weight: 400;\">None of these attack patterns require the attacker to break encryption, exploit a software vulnerability, or spend significant resources. They require only a valid credential. Enforcing <\/span><b>MFA for Cisco AnyConnect<\/b><span style=\"font-weight: 400;\"> removes static credentials as a viable attack primitive.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-d57877c padded e-flex e-con-boxed e-con e-parent\" data-id=\"d57877c\" data-element_type=\"container\" id=\"how-it-works\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t<div class=\"elementor-element elementor-element-1698709 e-con-full e-flex e-con e-child\" data-id=\"1698709\" data-element_type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-88c2197 elementor-widget elementor-widget-heading\" data-id=\"88c2197\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">How MFA for Cisco AnyConnect Works<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-83f93dd elementor-widget elementor-widget-text-editor\" data-id=\"83f93dd\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><b>Cisco AnyConnect MFA operates through the RADIUS protocol \u2014 the ASA or Firepower device forwards authentication requests to an external RADIUS server that handles second-factor verification.<\/b><\/p><p><span style=\"font-weight: 400;\">Cisco ASA and Firepower do not natively support TOTP, HOTP, or push authentication. Their AAA framework is built on RADIUS and LDAP. Adding <\/span><b>AnyConnect RADIUS MFA<\/b><span style=\"font-weight: 400;\"> means deploying an intermediary RADIUS server that accepts requests from the ASA, performs both primary credential validation and OTP verification, and returns a standard RADIUS Access-Accept or Access-Reject response.<\/span><\/p><h3><b>Authentication flow:<\/b><\/h3><ol><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">User opens Cisco AnyConnect and enters credentials (username + password)<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">ASA or Firepower forwards the authentication request to the <\/span><a href=\"https:\/\/www.protectimus.com\/uk\/radius\/\"><span style=\"font-weight: 400;\">Protectimus RADIUS Server<\/span><\/a><span style=\"font-weight: 400;\"> on UDP port 1812<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">RADIUS Server forwards primary credential to the configured directory (Active Directory, LDAP, or local store) for first-factor validation<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">If the primary credential passes, RADIUS Server requests the second authentication factor, and when received, forwards the OTP to the Protectimus authentication platform for second-factor validation<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Protectimus platform validates the OTP against the user&#8217;s enrolled token and returns pass\/fail<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">RADIUS Server sends Access-Accept or Access-Reject to the ASA<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">ASA grants or denies the VPN tunnel<\/span><\/li><\/ol><h3><b><br \/>Credential entry formats:<\/b><\/h3><p><span style=\"font-weight: 400;\">Challenge-response format: ASA validates the primary password first, then issues a RADIUS Access-Challenge requesting the OTP in a secondary input field. This provides a cleaner user experience and is commonly used in modern AnyConnect MFA deployments, including Protectimus integrations, but requires challenge-response support enabled on the ASA connection profile.<\/span><\/p><p><i><span style=\"font-weight: 400;\">Combined format:<\/span><\/i><span style=\"font-weight: 400;\"> Some RADIUS deployments support combined authentication, where the user enters <\/span><span style=\"font-weight: 400;\">[password][OTP]<\/span><span style=\"font-weight: 400;\"> as a single credential \u2014 for example, <\/span><span style=\"font-weight: 400;\">P@ssw0rd!459812<\/span><span style=\"font-weight: 400;\">. The RADIUS Server strips the trailing 6 digits as the OTP. No secondary prompt in the AnyConnect client. This is the simpler configuration and works with all AnyConnect versions.<\/span><\/p><h3><b>Cisco Firepower (FTD) compatibility:<\/b><\/h3><p><span style=\"font-weight: 400;\">The RADIUS integration applies equally to Firepower Threat Defense managing AnyConnect remote access VPN. Configuration path in Firepower Management Center: Remote Access VPN \u2192 Connection Profiles \u2192 AAA \u2192 RADIUS Server Group. Port and shared secret configuration is identical to ASA.<\/span><\/p><h3><b>Cisco ISE:<\/b><\/h3><p><span style=\"font-weight: 400;\">For organizations using Cisco ISE as their AAA infrastructure, Protectimus integrates via standard RADIUS proxy. ISE forwards authentication requests to the Protectimus RADIUS Server, which handles OTP verification and returns the result to ISE for policy evaluation.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-86abc7e padded e-flex e-con-boxed e-con e-parent\" data-id=\"86abc7e\" data-element_type=\"container\" id=\"mfa-methods\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t<div class=\"elementor-element elementor-element-f0f2e30 e-con-full e-flex e-con e-child\" data-id=\"f0f2e30\" data-element_type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-684bcff elementor-widget elementor-widget-heading\" data-id=\"684bcff\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Supported MFA Methods<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-4b52e3d elementor-widget elementor-widget-text-editor\" data-id=\"4b52e3d\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><b>Protectimus supports six second-factor delivery methods for Cisco AnyConnect, covering TOTP app, hardware tokens, chatbot OTP, SMS, email, and push notifications \u2014 each with different security and operational characteristics.<\/b><\/p><h3><b>Protectimus SMART OTP App<\/b><\/h3><p><span style=\"font-weight: 400;\">The <\/span><a href=\"https:\/\/www.protectimus.com\/uk\/smart\/\"><span style=\"font-weight: 400;\">Protectimus SMART OTP app<\/span><\/a><span style=\"font-weight: 400;\"> generates OATH TOTP codes on Android and iOS. Key enterprise features: cloud backup for self-service token recovery after device loss, PIN and biometric protection at the app level, and configurable time steps (30, 60, 90 seconds and multiples up to 3000 seconds). The cloud backup feature reduces help desk load during device replacement \u2014 users restore their own tokens without administrator involvement.<\/span><\/p><h3><b>Hardware OTP Tokens<\/b><\/h3><p><span style=\"font-weight: 400;\">For environments where mobile devices are not permitted \u2014 secure facilities, manufacturing floors, air-gapped networks, or organizations with strict BYOD restrictions \u2014 Protectimus offers four<\/span> <a href=\"https:\/\/www.protectimus.com\/uk\/tokens\/\"><span style=\"font-weight: 400;\">hardware token<\/span><\/a><span style=\"font-weight: 400;\"> models:<\/span><\/p><div class=\"table\"><table><tbody><tr><td><b>Token<\/b><\/td><td><b>Form Factor<\/b><\/td><td><b>Time Step<\/b><\/td><td><b>Interface<\/b><\/td><td><b>Description<\/b><\/td><\/tr><tr><td><a href=\"https:\/\/www.protectimus.com\/uk\/token\/smart\/\"><span style=\"font-weight: 400;\">Protectimus Slim NFC<\/span><\/a><\/td><td><span style=\"font-weight: 400;\">Credit card<\/span><\/td><td><span style=\"font-weight: 400;\">30\/60s<\/span><\/td><td><span style=\"font-weight: 400;\">NFC<\/span><\/td><td><span style=\"font-weight: 400;\">Wallet-friendly reprogrammable card-format token with NFC support<\/span><\/td><\/tr><tr><td><a href=\"https:\/\/www.protectimus.com\/uk\/token\/two\/\"><span style=\"font-weight: 400;\">Protectimus TWO<\/span><\/a><\/td><td><span style=\"font-weight: 400;\">Key fob<\/span><\/td><td><span style=\"font-weight: 400;\">30\/60s<\/span><\/td><td><span style=\"font-weight: 400;\">None<\/span><\/td><td><span style=\"font-weight: 400;\">Standard SHA-1 hardware token for traditional OTP deployments with fixed token seeds<\/span><\/td><\/tr><tr><td><a href=\"https:\/\/www.protectimus.com\/uk\/token\/flex\/\"><span style=\"font-weight: 400;\">Protectimus FLEX<\/span><\/a><\/td><td><span style=\"font-weight: 400;\">Key fob<\/span><\/td><td><span style=\"font-weight: 400;\">30s<\/span><\/td><td><span style=\"font-weight: 400;\">NFC<\/span><\/td><td><span style=\"font-weight: 400;\">Reprogrammable key fob token for flexible enterprise deployment<\/span><\/td><\/tr><tr><td><a href=\"https:\/\/www.protectimus.com\/uk\/token\/shark\/\"><span style=\"font-weight: 400;\">Protectimus SHARK<\/span><\/a><\/td><td><span style=\"font-weight: 400;\">Key fob<\/span><\/td><td><span style=\"font-weight: 400;\">30s<\/span><\/td><td><span style=\"font-weight: 400;\">None<\/span><\/td><td><span style=\"font-weight: 400;\">SHA-256 hardware token for organizations requiring stronger cryptographic algorithms in large-scale deployments<\/span><\/td><\/tr><\/tbody><\/table><\/div><p><span style=\"font-weight: 400;\">All four models use OATH TOTP standard and are provisioned through the Protectimus admin console. NFC-enabled programmable models (Slim NFC, FLEX) can be reprogrammed via an Android smartphone using NFC, allowing administrators or users to replace the secret key instead of replacing the token itself.<\/span><\/p><h3><b>Protectimus BOT (Chatbot OTP Delivery)<\/b><\/h3><p><span style=\"font-weight: 400;\">OTP codes delivered via chatbot in Telegram, Viber, or Facebook Messenger. The user receives a time-limited code in their connected messenger account. Requires internet connectivity on the user&#8217;s device but eliminates authenticator app installation. Suitable for users without corporate device management or in BYOD environments where app provisioning is constrained.<\/span><\/p><h3><b>SMS OTP<\/b><\/h3><p><span style=\"font-weight: 400;\">One-time passwords delivered via SMS. Protectimus supports custom SMS provider integration via SMPP, allowing routing through existing SMS infrastructure. Lower security than TOTP app or hardware token but suitable as a fallback method for specific user populations.<\/span><\/p><h3><b>Email OTP<\/b><\/h3><p><span style=\"font-weight: 400;\">OTP delivery via email. Lowest security tier \u2014 email accounts are themselves a target for credential theft \u2014 but provides a fallback for users without mobile access.<\/span><\/p><h3><b>Push Authentication<\/b><span style=\"font-weight: 400;\">\u00a0<\/span><\/h3><p><span style=\"font-weight: 400;\">Push notifications are sent for approval to the user\u2019s mobile device instead of requiring manual OTP entry. Users confirm or deny the login attempt directly in the Protectimus SMART app. However, this authentication method may still be vulnerable to MFA fatigue and push bombing attacks.<\/span><\/p><h3><b>Comparative overview:<\/b><\/h3><table><tbody><tr><td><b>Method<\/b><\/td><td><b>Phishing resistance<\/b><\/td><td><b>Offline capable<\/b><\/td><td><b>Self-service recovery<\/b><\/td><td><b>Device required<\/b><\/td><\/tr><tr><td><a href=\"https:\/\/www.protectimus.com\/uk\/token\/smart\/\"><span style=\"font-weight: 400;\">SMART OTP App<\/span><\/a><\/td><td><span style=\"font-weight: 400;\">High<\/span><\/td><td><span style=\"font-weight: 400;\">Yes<\/span><\/td><td><span style=\"font-weight: 400;\">Yes (cloud backup)<\/span><\/td><td><span style=\"font-weight: 400;\">Smartphone<\/span><\/td><\/tr><tr><td><a href=\"https:\/\/www.protectimus.com\/uk\/tokens\/\"><span style=\"font-weight: 400;\">Hardware Token<\/span><\/a><\/td><td><span style=\"font-weight: 400;\">High<\/span><\/td><td><span style=\"font-weight: 400;\">Yes<\/span><\/td><td><span style=\"font-weight: 400;\">No (admin replaces)<\/span><\/td><td><span style=\"font-weight: 400;\">Hardware token<\/span><\/td><\/tr><tr><td><a href=\"https:\/\/www.protectimus.com\/uk\/token\/bot\/\"><span style=\"font-weight: 400;\">BOT (Telegram\/Viber)<\/span><\/a><\/td><td><span style=\"font-weight: 400;\">Medium<\/span><\/td><td><span style=\"font-weight: 400;\">No<\/span><\/td><td><span style=\"font-weight: 400;\">N\/A<\/span><\/td><td><span style=\"font-weight: 400;\">Smartphone<\/span><\/td><\/tr><tr><td><a href=\"https:\/\/www.protectimus.com\/uk\/token\/sms\/\"><span style=\"font-weight: 400;\">SMS<\/span><\/a><\/td><td><span style=\"font-weight: 400;\">Medium<\/span><\/td><td><span style=\"font-weight: 400;\">No<\/span><\/td><td><span style=\"font-weight: 400;\">N\/A<\/span><\/td><td><span style=\"font-weight: 400;\">Mobile phone<\/span><\/td><\/tr><tr><td><a href=\"https:\/\/www.protectimus.com\/uk\/token\/mail\/\"><span style=\"font-weight: 400;\">Email<\/span><\/a><\/td><td><span style=\"font-weight: 400;\">Low-Medium<\/span><\/td><td><span style=\"font-weight: 400;\">No<\/span><\/td><td><span style=\"font-weight: 400;\">N\/A<\/span><\/td><td><span style=\"font-weight: 400;\">Email access<\/span><\/td><\/tr><tr><td><a href=\"https:\/\/www.protectimus.com\/uk\/token\/push\/\"><span style=\"font-weight: 400;\">Push<\/span><\/a><\/td><td><span style=\"font-weight: 400;\">Medium<\/span><\/td><td><span style=\"font-weight: 400;\">No<\/span><\/td><td><span style=\"font-weight: 400;\">Yes (cloud backup)<\/span><\/td><td><span style=\"font-weight: 400;\">Smartphone<\/span><\/td><\/tr><\/tbody><\/table><p><span style=\"font-weight: 400;\">For <\/span><b>2FA for Cisco VPN<\/b><span style=\"font-weight: 400;\"> deployments specifically, TOTP-based methods \u2014 SMART app and hardware tokens \u2014 are the operationally appropriate choice. Both are offline-capable (OTP codes are generated locally on the device and do not require internet connectivity on the user side) and both are resistant to AiTM token capture due to the 30-second expiry window.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-280411b padded e-flex e-con-boxed e-con e-parent\" data-id=\"280411b\" data-element_type=\"container\" id=\"setup\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t<div class=\"elementor-element elementor-element-2bd5d59 e-con-full e-flex e-con e-child\" data-id=\"2bd5d59\" data-element_type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-347cae5 elementor-widget elementor-widget-heading\" data-id=\"347cae5\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Step-by-Step Setup Guide<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-3977085 elementor-widget elementor-widget-text-editor\" data-id=\"3977085\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><b>Configuring Cisco AnyConnect MFA with Protectimus requires four stages: Protectimus platform or service setup, RADIUS Server configuration, ASA\/Firepower AAA configuration, and user enrollment.<\/b><\/p><h3><b>Step 1: Set Up the Protectimus Platform or Cloud Service<\/b><\/h3><p><span style=\"font-weight: 400;\">Register at <\/span><a target=\"_blank\" target=\"_blank\" href=\"https:\/\/service.protectimus.com\/login\"><span style=\"font-weight: 400;\">protectimus.com<\/span><\/a><span style=\"font-weight: 400;\"> for the cloud service, or install the <\/span><a href=\"https:\/\/www.protectimus.com\/uk\/platform\/\"><span style=\"font-weight: 400;\">Protectimus On-Premise Platform<\/span><\/a><span style=\"font-weight: 400;\"> on your infrastructure. In the platform:<\/span><\/p><ul><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Create a <\/span><b>Resource<\/b><span style=\"font-weight: 400;\"> representing the AnyConnect VPN integration<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Note your <\/span><b>API URL<\/b><span style=\"font-weight: 400;\">, <\/span><b>Login<\/b><span style=\"font-weight: 400;\">, and <\/span><b>API Key<\/b><span style=\"font-weight: 400;\"> \u2014 required for RADIUS Server configuration<\/span><\/li><\/ul><h3><b>Step 2: Install and Configure the Protectimus RADIUS Server<\/b><\/h3><p><span style=\"font-weight: 400;\">If using the Protectimus cloud service, install the Protectimus RADIUS Server on a Linux host (recommended) or Windows server accessible from the ASA. For on-premise deployments, the RADIUS Server is installed together with the Protectimus platform.<\/span><\/p><p><span style=\"font-weight: 400;\">Edit the radius.yml configuration file.\u00a0 Here is an example basic radius.yml configuration:<\/span><\/p><pre><code>\nauth:\n  providers:\n    - LDAP\n    - PROTECTIMUS_OTP\n  re-enter-otp: true\n  principal-normalization: true\n\nprotectimus-api:\n  login: your-api-login\n  api-key: your-api-key\n  url: https:\/\/api.protectimus.com\/\n  resource-id: your-resource-id\n\nradius:\n  secret: your-shared-secret\n  clients:\n    - name: cisco-asa\n      secret: your-shared-secret\n      ips:\n        - 192.168.1.100\/32   # ASA outside interface IP\n  auth-port: 1812\n  listen-address: 0.0.0.0\n\nldap:\n  base: dc=example,dc=com\n  urls:\n    - ldap:\/\/192.168.1.10:389\n  username: admin@example.com\n  password: your-ldap-password\n  principal-attribute: userPrincipalName\n<\/code><\/pre><p><span style=\"font-weight: 400;\">This example shows a basic LDAP + OTP configuration for Cisco AnyConnect MFA. Actual deployments may require additional settings depending on the authentication providers, inline OTP mode, RADIUS attributes, or Active Directory integration used in your environment.<\/span><\/p><p><span style=\"font-weight: 400;\">Full Protectimus RADIUS Server configuration documentation is available in the Protectimus RADIUS 2FA Guide.<\/span><\/p><p><span style=\"font-weight: 400;\">Start the RADIUS server service. Confirm it is listening on UDP 1812. Verify firewall rules allow UDP 1812 and 1813 (accounting) from the ASA IP to the RADIUS Server.<\/span><\/p><h3><b>Step 3: Configure Cisco ASA AAA Server Group<\/b><\/h3><p><span style=\"font-weight: 400;\">In <\/span><b>Cisco ASDM, navigate to<\/b><span style=\"font-weight: 400;\">: <\/span><b>Configuration \u2192 Remote Access VPN \u2192 AAA\/Local Users \u2192 AAA Server Groups<\/b><span style=\"font-weight: 400;\">:<\/span><\/p><ol><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Click <\/span><b>Add<\/b><span style=\"font-weight: 400;\"> in the AAA Server Groups section.<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Specify the AAA Server Group name (for example, <\/span><span style=\"font-weight: 400;\">protectimus<\/span><span style=\"font-weight: 400;\">) and set <\/span><b>Protocol<\/b><span style=\"font-weight: 400;\"> to <\/span><span style=\"font-weight: 400;\">RADIUS<\/span><span style=\"font-weight: 400;\">.<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Configure the group parameters:<\/span><ol><li style=\"font-weight: 400;\" aria-level=\"2\"><b>Accounting Mode<\/b><span style=\"font-weight: 400;\"> \u2014 <\/span><span style=\"font-weight: 400;\">Single<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"2\"><b>Reactivation Mode<\/b><span style=\"font-weight: 400;\"> \u2014 <\/span><span style=\"font-weight: 400;\">Depletion<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"2\"><b>Dead Time<\/b><span style=\"font-weight: 400;\"> \u2014 <\/span><span style=\"font-weight: 400;\">10<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"2\"><b>Max Failed Attempts<\/b><span style=\"font-weight: 400;\"> \u2014 <\/span><span style=\"font-weight: 400;\">3<\/span><\/li><\/ol><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Click <\/span><b>OK<\/b><span style=\"font-weight: 400;\">.<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Select the newly created AAA Server Group.<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">In the <\/span><b>Servers in the Selected Group<\/b><span style=\"font-weight: 400;\"> section, click <\/span><b>Add<\/b><span style=\"font-weight: 400;\">.<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Configure the RADIUS server settings:<\/span><ol><li style=\"font-weight: 400;\" aria-level=\"2\"><b>Interface Name<\/b><span style=\"font-weight: 400;\"> \u2014 interface used to communicate with the Protectimus RADIUS Server<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"2\"><b>Server Name or IP Address<\/b><span style=\"font-weight: 400;\"> \u2014 IP address of the Protectimus RADIUS Server<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"2\"><b>Timeout<\/b><span style=\"font-weight: 400;\"> \u2014 <\/span><span style=\"font-weight: 400;\">10 seconds (increase if users require additional time to enter OTP codes)<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"2\"><b>Server Authentication Port<\/b><span style=\"font-weight: 400;\"> \u2014 <\/span><span style=\"font-weight: 400;\">1816<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"2\"><b>Server Accounting Port<\/b><span style=\"font-weight: 400;\"> \u2014 <\/span><span style=\"font-weight: 400;\">1815<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"2\"><b>Retry Interval<\/b><span style=\"font-weight: 400;\"> \u2014 <\/span><span style=\"font-weight: 400;\">10 seconds<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"2\"><b>Server Secret Key<\/b><span style=\"font-weight: 400;\"> \u2014 must match the secret configured in the Protectimus RADIUS Server<\/span><\/li><\/ol><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Click <\/span><b>OK<\/b><span style=\"font-weight: 400;\">.<\/span><\/li><\/ol><p><span style=\"font-weight: 400;\"><br \/>For <\/span><b>Cisco Firepower via FMC<\/b><span style=\"font-weight: 400;\">, navigate to:\u00a0<\/span><\/p><p><b>Objects \u2192 Object Management \u2192 RADIUS Server Group \u2192 Add Group.\u00a0<\/b><\/p><p><span style=\"font-weight: 400;\">Add a new RADIUS Server Group.<\/span> <span style=\"font-weight: 400;\">Parameters are identical.<\/span><\/p><h3><b>Step 4: Configure the AnyConnect VPN Connection<\/b><\/h3><p><span style=\"font-weight: 400;\">In Cisco ASDM, open:<\/span><\/p><p><b>Wizards \u2192 VPN Wizards \u2192 AnyConnect VPN Wizard<\/b><\/p><ol><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Configure the connection profile:<\/span><ul><li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Specify the <\/span><b>Connection Profile Name<\/b><\/li><li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Select the <\/span><b>VPN Access Interface<\/b><\/li><\/ul><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Configure VPN protocols:<\/span><ul><li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Enable <\/span><span style=\"font-weight: 400;\">SSL<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Enable <\/span><span style=\"font-weight: 400;\">IPsec<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Select or generate a device certificate<\/span><\/li><\/ul><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Add AnyConnect client image (<\/span><span style=\"font-weight: 400;\">*.pkg<\/span><span style=\"font-weight: 400;\">) files.<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">In the <\/span><b>Authentication Methods<\/b><span style=\"font-weight: 400;\"> step:<\/span><ul><li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Select the previously created <\/span><span style=\"font-weight: 400;\">protectimus<\/span><span style=\"font-weight: 400;\"> AAA Server Group<\/span><\/li><\/ul><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">In the <\/span><b>SAML Configuration<\/b><span style=\"font-weight: 400;\"> step:<\/span><ul><li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Set <\/span><b>Authentication Method<\/b><span style=\"font-weight: 400;\"> to <\/span><span style=\"font-weight: 400;\">AAA<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Select the <\/span><span style=\"font-weight: 400;\">protectimus<\/span><span style=\"font-weight: 400;\"> AAA Server Group<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">Leave <\/span><b>SAML Server<\/b><span style=\"font-weight: 400;\"> set to <\/span><span style=\"font-weight: 400;\">None<\/span><\/li><\/ul><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Configure the client IP address pool.<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Configure DNS settings.<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Enable <\/span><b>Exempt VPN traffic from network address translation<\/b><span style=\"font-weight: 400;\">.<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Enable <\/span><b>Allow Web Launch<\/b><span style=\"font-weight: 400;\">.<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Review the configuration summary and click <\/span><b>Finish<\/b><span style=\"font-weight: 400;\">.<\/span><\/li><\/ol><h3><b>Step 5: Enroll Users<\/b><\/h3><p><span style=\"font-weight: 400;\">Add users to the Protectimus platform manually, via CSV import, or via LDAP sync with Active Directory. Assign tokens to users manually or activate the Self-Service Portal so users can enroll and manage their own tokens. Run authentication tests with a pilot group before broader rollout.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-a29b829 padded e-flex e-con-boxed e-con e-parent\" data-id=\"a29b829\" data-element_type=\"container\" id=\"deployment\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t<div class=\"elementor-element elementor-element-1dc9ec2 e-con-full e-flex e-con e-child\" data-id=\"1dc9ec2\" data-element_type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-131348d elementor-widget elementor-widget-heading\" data-id=\"131348d\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Deployment Options: Cloud vs On-Premise<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5266633 elementor-widget elementor-widget-text-editor\" data-id=\"5266633\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><b>Protectimus MFA for Cisco AnyConnect is available as a cloud SaaS service or a fully on-premise platform \u2014 both support the complete RADIUS integration and full feature set.<\/b><\/p><h3><b>Cloud Deployment<\/b><\/h3><p><span style=\"font-weight: 400;\">The cloud service requires only the RADIUS Server component deployed locally. The RADIUS Server communicates with the Protectimus Cloud Service API to validate OTPs. No platform infrastructure on the client side.<\/span><\/p><p><span style=\"font-weight: 400;\">Technical requirements for cloud deployment:<\/span><\/p><ul><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">One Linux or Windows server for the RADIUS Server component<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Outbound HTTPS access from RADIUS Server to <\/span><span style=\"font-weight: 400;\">api.protectimus.com<\/span><\/li><li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Inbound UDP 1812\/1813 from ASA to RADIUS Server<\/span><\/li><\/ul><h3><b>On-Premise Deployment<\/b><\/h3><p><span style=\"font-weight: 400;\">The<\/span> <a href=\"https:\/\/www.protectimus.com\/uk\/platform\/\"><span style=\"font-weight: 400;\">Protectimus On-Premise Platform<\/span><\/a><span style=\"font-weight: 400;\"> runs entirely within your infrastructure. No authentication data leaves your network at any point.<\/span><\/p><p><span style=\"font-weight: 400;\">Technical requirements:<\/span><\/p><table><tbody><tr><td><p><b>Component<\/b><\/p><\/td><td><p><b>Requirement<\/b><\/p><\/td><\/tr><tr><td><p><span style=\"font-weight: 400;\">CPU<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">2 cores minimum<\/span><\/p><\/td><\/tr><tr><td><p><span style=\"font-weight: 400;\">RAM<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">8 GB minimum<\/span><\/p><\/td><\/tr><tr><td><p><span style=\"font-weight: 400;\">Storage<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">Minimum 20 GB disk space<\/span><\/p><\/td><\/tr><tr><td><p><span style=\"font-weight: 400;\">OS<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">Linux (primary), Windows<\/span><\/p><\/td><\/tr><tr><td><p><span style=\"font-weight: 400;\">HA configuration<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">Optional 3-node cluster with HAProxy<\/span><\/p><\/td><\/tr><tr><td><p><span style=\"font-weight: 400;\">Load Balancing<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">Load balancer recommended for HA deployments<\/span><\/p><\/td><\/tr><\/tbody><\/table><h3><b>Deployment comparison:<\/b><\/h3><table><tbody><tr><td><p><b>Factor<\/b><\/p><\/td><td><p><b>Cloud<\/b><\/p><\/td><td><p><b>On-Premise<\/b><\/p><\/td><\/tr><tr><td><p><span style=\"font-weight: 400;\">Infrastructure required<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">RADIUS Server only<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">Protectimus On-Premise Platform\u00a0 (includes RADIUS Server)<\/span><\/p><\/td><\/tr><tr><td><p><span style=\"font-weight: 400;\">Time to first authentication<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">Typically a few hours<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">Typically a few hours after infrastructure preparation<\/span><\/p><\/td><\/tr><tr><td><p><span style=\"font-weight: 400;\">Platform maintenance<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">Managed by Protectimus<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">Self-managed<\/span><\/p><\/td><\/tr><tr><td><p><span style=\"font-weight: 400;\">Data residency<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">Protectimus cloud<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">Fully within your network<\/span><\/p><\/td><\/tr><tr><td><p><span style=\"font-weight: 400;\">Air-gapped support<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">No<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">Yes<\/span><\/p><\/td><\/tr><tr><td><p><span style=\"font-weight: 400;\">HA \/ clustering<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">Managed by Protectimus<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">Self-managed (3-node recommended)<\/span><\/p><\/td><\/tr><tr><td><p><span style=\"font-weight: 400;\">Private cloud deployment<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">No<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">AWS\/Azure\/VMware private cloud<\/span><\/p><\/td><\/tr><\/tbody><\/table><p><span style=\"font-weight: 400;\">For environments operating under PCI DSS cardholder data environment requirements, HIPAA, FISMA, or any framework where authentication data residency is evaluated during audit \u2014 on-premise deployment is the architecturally appropriate choice.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-16797b4 padded e-flex e-con-boxed e-con e-parent\" data-id=\"16797b4\" data-element_type=\"container\" id=\"comparison\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t<div class=\"elementor-element elementor-element-bb86bc5 e-con-full e-flex e-con e-child\" data-id=\"bb86bc5\" data-element_type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-891beb3 elementor-widget elementor-widget-heading\" data-id=\"891beb3\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Protectimus vs Cisco Duo for AnyConnect<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d7f6098 elementor-widget elementor-widget-text-editor\" data-id=\"d7f6098\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><b>Both Protectimus and Cisco Duo integrate with Cisco AnyConnect via RADIUS and support TOTP-based second factors \u2014 the architectural differences lie in deployment model, hardware token availability, and external connectivity requirements.<\/b><\/p><p><span style=\"font-weight: 400;\">This section outlines objective technical differences. The appropriate choice depends on your organization&#8217;s specific infrastructure requirements.<\/span><\/p><h3><b>Integration architecture<\/b><\/h3><p><span style=\"font-weight: 400;\">Both solutions use RADIUS as the primary integration path for AnyConnect SSL VPN and IPSec VPN. Duo additionally offers a SAML-based integration that enables an interactive enrollment and authentication prompt for browser-based VPN logins (AnyConnect 4.6+ client). The RADIUS path \u2014 used by both \u2014 covers all AnyConnect connection types without additional configuration differences.<\/span><\/p><h3><b>On-premise deployment and external connectivity<\/b><\/h3><p><span style=\"font-weight: 400;\">Protectimus On-Premise runs as a fully self-contained platform. Once deployed, it requires no external connectivity to validate authentication requests \u2014 all OTP verification happens within your network.<\/span><\/p><p><span style=\"font-weight: 400;\">Duo&#8217;s on-premise component (Duo Authentication Proxy) proxies authentication requests to Duo&#8217;s cloud infrastructure for processing. Authentication requests pass through Duo&#8217;s servers even in &#8220;on-premise&#8221; configurations. For organizations with network isolation requirements, air-gapped environments, or compliance frameworks that restrict authentication data egress, this is a relevant architectural distinction.<\/span><\/p><h3><b>Hardware token support<\/b><\/h3><p><span style=\"font-weight: 400;\">Protectimus offers four hardware OTP token models available directly: Slim NFC, TWO, FLEX, and SHARK. All support OATH TOTP standard. NFC-equipped models support NFC-based token reprogramming via Android smartphone. Duo supports OATH-compatible hardware tokens from third-party vendors but does not offer its own hardware token line.<\/span><\/p><h3><b>Cisco ecosystem integration<\/b><\/h3><p><span style=\"font-weight: 400;\">Duo&#8217;s direct integration with Cisco ISE, Cisco Umbrella, and Cisco SecureX provides tighter policy enforcement for organizations already operating within the Cisco security stack. Protectimus integrates with Cisco ISE via standard RADIUS proxy but does not have dedicated connectors for other Cisco platform components.<\/span><\/p><h3><b>Objective comparison:<\/b><\/h3><table><tbody><tr><td><p><b>Factor<\/b><\/p><\/td><td><p><b>Protectimus<\/b><\/p><\/td><td><p><b>Cisco Duo<\/b><\/p><\/td><\/tr><tr><td><p><span style=\"font-weight: 400;\">RADIUS integration for AnyConnect<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">Yes<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">Yes<\/span><\/p><\/td><\/tr><tr><td><p><span style=\"font-weight: 400;\">SAML \/ interactive web prompt support<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">No<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">Yes<\/span><\/p><\/td><\/tr><tr><td><p><span style=\"font-weight: 400;\">Hardware token support<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">4 hardware token models(classic and programmable)<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">Supports third-party OATH tokens<\/span><\/p><\/td><\/tr><tr><td><p><span style=\"font-weight: 400;\">On-premise with no external dependencies<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">Yes<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">No (requires Duo cloud)<\/span><\/p><\/td><\/tr><tr><td><p><span style=\"font-weight: 400;\">Air-gapped environment support<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">Yes<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">No<\/span><\/p><\/td><\/tr><tr><td><p><span style=\"font-weight: 400;\">Self-service enrollment portal<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">Yes<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">Yes<\/span><\/p><\/td><\/tr><tr><td><p><span style=\"font-weight: 400;\">Cisco ISE integration<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">Via RADIUS proxy<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">Native integration<\/span><\/p><\/td><\/tr><tr><td><p><span style=\"font-weight: 400;\">Cisco ecosystem integration (ISE, Umbrella, SecureX)<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">Standard RADIUS-based integration<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">Native integration<\/span><\/p><\/td><\/tr><\/tbody><\/table>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-dd147b2 padded e-flex e-con-boxed e-con e-parent\" data-id=\"dd147b2\" data-element_type=\"container\" id=\"compliance\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t<div class=\"elementor-element elementor-element-c9b7b25 e-con-full e-flex e-con e-child\" data-id=\"c9b7b25\" data-element_type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-fad9de1 elementor-widget elementor-widget-heading\" data-id=\"fad9de1\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Compliance and Use Cases<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-78865c0 elementor-widget elementor-widget-text-editor\" data-id=\"78865c0\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><b>Cisco AnyConnect MFA via Protectimus directly addresses mandatory second-factor requirements in PCI DSS v4.0, HIPAA, NIST SP 800-63B, SOC 2, and ISO 27001.<\/b><\/p><h3><b>PCI DSS v4.0<\/b><\/h3><p><span style=\"font-weight: 400;\">Requirement 8.4.2 mandates MFA for all non-console administrative access and all remote network access originating from outside the cardholder data environment. AnyConnect VPN connecting to systems in scope for PCI DSS falls under this requirement without exception. The Protectimus TOTP implementation satisfies Requirement 8.4.2; the on-premise deployment addresses data residency considerations relevant to PCI DSS assessors evaluating authentication infrastructure placement.<\/span><\/p><h3><b>HIPAA<\/b><\/h3><p><span style=\"font-weight: 400;\">The HIPAA Security Rule Technical Safeguards (45 CFR \u00a7164.312) require access controls and authentication for systems containing electronic protected health information. HHS guidance explicitly recommends MFA for remote access to ePHI systems. For healthcare organizations using AnyConnect to access clinical systems, enforcement of <\/span><b>Cisco AnyConnect MFA<\/b><span style=\"font-weight: 400;\"> is consistent with current HHS audit expectations.<\/span><\/p><h3><b>NIST SP 800-63B<\/b><\/h3><p><span style=\"font-weight: 400;\">At Authenticator Assurance Level 2 (AAL2), NIST requires a multi-factor authentication mechanism using an approved &#8220;something you have&#8221; authenticator. OATH TOTP satisfies AAL2. Hardware tokens satisfy AAL2 without additional conditions; Protectimus SMART OTP app with PIN or biometric protection satisfies AAL2. Organizations operating under FedRAMP or FISMA reference NIST 800-63B directly for remote access authentication requirements.<\/span><\/p><h3><b>SOC 2<\/b><\/h3><p><span style=\"font-weight: 400;\">SOC 2 Type II audits evaluate logical access controls under Common Criteria 6.1 (CC6.1). Enforced MFA on remote access VPN \u2014 with documented policy, implementation evidence, and audit logs \u2014 satisfies CC6.1 and is standard audit evidence for SOC 2 engagements.<\/span><\/p><h3><b>ISO 27001<\/b><\/h3><p><span style=\"font-weight: 400;\">Annex A control A.9.4.2 (Secure log-on procedures) addresses authentication strength for system access. MFA on remote access VPN is standard evidence for this control in ISO 27001 certification audits.<\/span><\/p><h3><b>Industry use cases:<\/b><\/h3><table><tbody><tr><td><p><b>Sector<\/b><\/p><\/td><td><p><b>Compliance driver<\/b><\/p><\/td><td><p><b>Deployment notes<\/b><\/p><\/td><\/tr><tr><td><p><span style=\"font-weight: 400;\">Financial services<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">PCI DSS v4.0, SOX<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">On-premise deployment; hardware tokens for privileged access<\/span><\/p><\/td><\/tr><tr><td><p><span style=\"font-weight: 400;\">Healthcare<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">HIPAA, HITECH<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">On-premise deployment; SMART app + hardware token fallback<\/span><\/p><\/td><\/tr><tr><td><p><span style=\"font-weight: 400;\">Government \/ Defense<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">NIST 800-63B, FISMA<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">On-premise deployment; air-gapped support<\/span><\/p><\/td><\/tr><tr><td><p><span style=\"font-weight: 400;\">Energy \/ Critical infrastructure<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">NERC CIP, NIS2<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">On-premise deployment; hardware tokens support<\/span><\/p><\/td><\/tr><tr><td><p><span style=\"font-weight: 400;\">Professional services<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">SOC 2 Type II<\/span><\/p><\/td><td><p><span style=\"font-weight: 400;\">Cloud or on-permise deployment<\/span><\/p><\/td><\/tr><\/tbody><\/table>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-a2442ac padded e-flex e-con-boxed e-con e-parent\" data-id=\"a2442ac\" data-element_type=\"container\" id=\"troubleshooting\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t<div class=\"elementor-element elementor-element-d2891c1 e-con-full e-flex e-con e-child\" data-id=\"d2891c1\" data-element_type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-f2847f8 elementor-widget elementor-widget-heading\" data-id=\"f2847f8\" data-element_type=\"widget\" id=\"howtosetup\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Troubleshooting Common Issues<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-32a2622 elementor-widget elementor-widget-text-editor\" data-id=\"32a2622\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><b>The majority of Cisco AnyConnect MFA authentication failures trace to four root causes: RADIUS connectivity, shared secret mismatch, OTP time drift, and AAA attribute configuration.<\/b><\/p><h3><b>RADIUS connectivity failures<\/b><\/h3><p><span style=\"font-weight: 400;\">Confirm UDP 1816 is open from the ASA outside or inside interface (depending on RADIUS Server placement) to the RADIUS Server IP. Run <\/span><span style=\"font-weight: 400;\">test aaa-server authentication protectimus host &lt;ip&gt; username &lt;user&gt; password &lt;password&gt;<\/span><span style=\"font-weight: 400;\"> from ASA CLI to isolate whether the failure is ASA-to-RADIUS or RADIUS-to-Protectimus-API. Check RADIUS Server logs for reject reason codes and API connectivity errors.<\/span><\/p><h3><b>Shared secret mismatch<\/b><\/h3><p><span style=\"font-weight: 400;\">The shared secret in the ASA AAA server configuration must exactly match the <\/span><span style=\"font-weight: 400;\">secret<\/span><span style=\"font-weight: 400;\"> value in the RADIUS Server <\/span><span style=\"font-weight: 400;\">clients<\/span><span style=\"font-weight: 400;\"> configuration \u2014 case-sensitive, no trailing whitespace. A mismatch typically presents as a timeout or <\/span><span style=\"font-weight: 400;\">ERROR<\/span><span style=\"font-weight: 400;\"> response rather than an explicit <\/span><span style=\"font-weight: 400;\">Access-Reject<\/span><span style=\"font-weight: 400;\">, because the ASA cannot decrypt a response signed with a different secret.<\/span><\/p><h3><b>OTP time drift<\/b><\/h3><p><span style=\"font-weight: 400;\">TOTP validation is time-dependent. Clock drift exceeding 30 seconds between the RADIUS Server host and the token will cause OTP failures. Verify NTP is configured and synchronizing on the RADIUS Server host. The Protectimus platform accepts a \u00b11 time step window by default (validating previous and next OTP in addition to current), providing 90 seconds of tolerance \u2014 this does not compensate for sustained clock drift. The allowed time drift window can be expanded in the Protectimus platform or cloud service configuration if required, although this should not replace proper time synchronization.<\/span><\/p><h3><b>Authentication timeout during OTP entry<\/b><\/h3><p><span style=\"font-weight: 400;\">Default ASA AAA server timeout is often 10\u201312 seconds. But short AAA server timeout values may interrupt authentication before users have time to enter an OTP code, especially when using SMS, email, or chatbot delivery methods. If users experience timeout-related authentication failures, increase the timeout value in the AAA server configuration\u00a0 to 60 seconds or more. For SMS or email delivery, 90\u2013120 seconds is more appropriate given potential delivery latency.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-a9cb282 padded e-flex e-con-boxed e-con e-parent\" data-id=\"a9cb282\" data-element_type=\"container\" id=\"faq\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-7659ffd elementor-widget elementor-widget-heading\" data-id=\"7659ffd\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">FAQ<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-dc81e4c e-con-full padded e-flex e-con e-child\" data-id=\"dc81e4c\" data-element_type=\"container\">\n\t\t<div class=\"elementor-element elementor-element-fb2596d e-con-full faq-container e-flex e-con e-child\" data-id=\"fb2596d\" data-element_type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-412fa06 plus-right elementor-widget elementor-widget-n-accordion\" data-id=\"412fa06\" data-element_type=\"widget\" data-settings=\"{&quot;default_state&quot;:&quot;all_collapsed&quot;,&quot;max_items_expended&quot;:&quot;one&quot;,&quot;n_accordion_animation_duration&quot;:{&quot;unit&quot;:&quot;ms&quot;,&quot;size&quot;:400,&quot;sizes&quot;:[]}}\" data-widget_type=\"nested-accordion.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"e-n-accordion\" aria-label=\"Accordion. Open links with Enter or Space, close with Escape, and navigate with Arrow Keys\">\n\t\t\t\t\t\t<details id=\"e-n-accordion-item-6830\" class=\"e-n-accordion-item\" >\n\t\t\t\t<summary class=\"e-n-accordion-item-title\" data-accordion-index=\"1\" tabindex=\"0\" aria-expanded=\"false\" aria-controls=\"e-n-accordion-item-6830\" >\n\t\t\t\t\t<span class='e-n-accordion-item-title-header'><h3 class=\"e-n-accordion-item-title-text\"> How do I enable MFA on Cisco AnyConnect? <\/h3><\/span>\n\t\t\t\t\t\t\t<span class='e-n-accordion-item-title-icon'>\n\t\t\t<span class='e-opened' ><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"24\" height=\"2\" viewBox=\"0 0 24 2\" fill=\"none\"><path d=\"M24 1L5.96046e-08 0.999999\" stroke=\"#111111\" stroke-width=\"2\"><\/path><\/svg><\/span>\n\t\t\t<span class='e-closed'><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M12 0V24\" stroke=\"#111111\" stroke-width=\"2\"><\/path><path d=\"M24 12L5.96046e-08 12\" stroke=\"#111111\" stroke-width=\"2\"><\/path><\/svg><\/span>\n\t\t<\/span>\n\n\t\t\t\t\t\t<\/summary>\n\t\t\t\t<div role=\"region\" aria-labelledby=\"e-n-accordion-item-6830\" class=\"elementor-element elementor-element-ea1991a e-con-full e-flex e-con e-child\" data-id=\"ea1991a\" data-element_type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-8bad61c elementor-widget elementor-widget-text-editor\" data-id=\"8bad61c\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">Cisco AnyConnect does not have a built-in MFA engine \u2014 second-factor enforcement requires configuring the ASA or Firepower device to use an external RADIUS server for AAA authentication. The process with Protectimus: install and configure the Protectimus RADIUS Server on a Linux or Windows host reachable from the ASA; create an AAA server group in ASDM or FMC pointing to the RADIUS Server IP on UDP 1816; assign that server group to the AnyConnect connection profile under Authentication; enroll users in the Protectimus platform with their token type. First authentication with MFA enforced is achievable within 2\u20134 hours for a standard single-domain deployment. The full setup walkthrough is at<\/span> <a href=\"https:\/\/www.protectimus.com\/guides\/cisco-anyconnect\/\"><span style=\"font-weight: 400;\">protectimus.com\/guides\/cisco-anyconnect\/<\/span><\/a><span style=\"font-weight: 400;\">.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/details>\n\t\t\t\t\t\t<details id=\"e-n-accordion-item-6831\" class=\"e-n-accordion-item\" >\n\t\t\t\t<summary class=\"e-n-accordion-item-title\" data-accordion-index=\"2\" tabindex=\"-1\" aria-expanded=\"false\" aria-controls=\"e-n-accordion-item-6831\" >\n\t\t\t\t\t<span class='e-n-accordion-item-title-header'><h3 class=\"e-n-accordion-item-title-text\"> Does Cisco AnyConnect support TOTP authenticator apps like Google Authenticator? <\/h3><\/span>\n\t\t\t\t\t\t\t<span class='e-n-accordion-item-title-icon'>\n\t\t\t<span class='e-opened' ><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"24\" height=\"2\" viewBox=\"0 0 24 2\" fill=\"none\"><path d=\"M24 1L5.96046e-08 0.999999\" stroke=\"#111111\" stroke-width=\"2\"><\/path><\/svg><\/span>\n\t\t\t<span class='e-closed'><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M12 0V24\" stroke=\"#111111\" stroke-width=\"2\"><\/path><path d=\"M24 12L5.96046e-08 12\" stroke=\"#111111\" stroke-width=\"2\"><\/path><\/svg><\/span>\n\t\t<\/span>\n\n\t\t\t\t\t\t<\/summary>\n\t\t\t\t<div role=\"region\" aria-labelledby=\"e-n-accordion-item-6831\" class=\"elementor-element elementor-element-b2bdc68 e-con-full e-flex e-con e-child\" data-id=\"b2bdc68\" data-element_type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-f30747e elementor-widget elementor-widget-text-editor\" data-id=\"f30747e\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">Cisco AnyConnect is TOTP-agnostic \u2014 it passes credentials to the RADIUS server, which handles OTP validation. Any OATH TOTP-compatible app works, including Google Authenticator, Microsoft Authenticator, and Protectimus SMART OTP. The functional difference for enterprise deployments is in management capabilities. Protectimus SMART OTP supports cloud backup for self-service token recovery, PIN and biometric protection, and configurable time steps beyond the 30-second default. Google Authenticator and Microsoft Authenticator do not expose management APIs and do not support time step configuration, which limits their usefulness in large-scale deployments where token recovery and audit visibility matter.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/details>\n\t\t\t\t\t\t<details id=\"e-n-accordion-item-6832\" class=\"e-n-accordion-item\" >\n\t\t\t\t<summary class=\"e-n-accordion-item-title\" data-accordion-index=\"3\" tabindex=\"-1\" aria-expanded=\"false\" aria-controls=\"e-n-accordion-item-6832\" >\n\t\t\t\t\t<span class='e-n-accordion-item-title-header'><h3 class=\"e-n-accordion-item-title-text\"> Can I use hardware OTP tokens with Cisco AnyConnect VPN? <\/h3><\/span>\n\t\t\t\t\t\t\t<span class='e-n-accordion-item-title-icon'>\n\t\t\t<span class='e-opened' ><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"24\" height=\"2\" viewBox=\"0 0 24 2\" fill=\"none\"><path d=\"M24 1L5.96046e-08 0.999999\" stroke=\"#111111\" stroke-width=\"2\"><\/path><\/svg><\/span>\n\t\t\t<span class='e-closed'><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M12 0V24\" stroke=\"#111111\" stroke-width=\"2\"><\/path><path d=\"M24 12L5.96046e-08 12\" stroke=\"#111111\" stroke-width=\"2\"><\/path><\/svg><\/span>\n\t\t<\/span>\n\n\t\t\t\t\t\t<\/summary>\n\t\t\t\t<div role=\"region\" aria-labelledby=\"e-n-accordion-item-6832\" class=\"elementor-element elementor-element-0787040 e-con-full e-flex e-con e-child\" data-id=\"0787040\" data-element_type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-9eb7aff elementor-widget elementor-widget-text-editor\" data-id=\"9eb7aff\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">Yes. Hardware OATH TOTP tokens integrate with AnyConnect via RADIUS identically to software tokens \u2014 the user enters the 6-digit OTP displayed on the token as the second step after entering their VPN password and username. Protectimus offers four hardware token models: Slim NFC (programmable credit card form factor token with NFC support), TWO (key fob, no NFC), FLEX (programmable NFC hardware token in key fob format), and SHARK (SHA-256 hardware TOTP token in key fob format, not programmable). All use OATH TOTP standard, support 30 time steps (or 60-second optionally), and are managed through the Protectimus admin console. Hardware tokens are operationally appropriate for environments where mobile devices are prohibited, for field workers without reliable smartphone access, or for high-security roles requiring a physical authenticator separate from the user&#8217;s primary device.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/details>\n\t\t\t\t\t\t<details id=\"e-n-accordion-item-6833\" class=\"e-n-accordion-item\" >\n\t\t\t\t<summary class=\"e-n-accordion-item-title\" data-accordion-index=\"4\" tabindex=\"-1\" aria-expanded=\"false\" aria-controls=\"e-n-accordion-item-6833\" >\n\t\t\t\t\t<span class='e-n-accordion-item-title-header'><h3 class=\"e-n-accordion-item-title-text\"> How does Protectimus MFA for Cisco AnyConnect differ from Cisco Duo? <\/h3><\/span>\n\t\t\t\t\t\t\t<span class='e-n-accordion-item-title-icon'>\n\t\t\t<span class='e-opened' ><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"24\" height=\"2\" viewBox=\"0 0 24 2\" fill=\"none\"><path d=\"M24 1L5.96046e-08 0.999999\" stroke=\"#111111\" stroke-width=\"2\"><\/path><\/svg><\/span>\n\t\t\t<span class='e-closed'><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M12 0V24\" stroke=\"#111111\" stroke-width=\"2\"><\/path><path d=\"M24 12L5.96046e-08 12\" stroke=\"#111111\" stroke-width=\"2\"><\/path><\/svg><\/span>\n\t\t<\/span>\n\n\t\t\t\t\t\t<\/summary>\n\t\t\t\t<div role=\"region\" aria-labelledby=\"e-n-accordion-item-6833\" class=\"elementor-element elementor-element-b3373c0 e-con-full e-flex e-con e-child\" data-id=\"b3373c0\" data-element_type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-6ef49d2 elementor-widget elementor-widget-text-editor\" data-id=\"6ef49d2\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">Both integrate via RADIUS and support TOTP-based second factors for AnyConnect. The primary architectural difference is in on-premise deployment: Protectimus On-Premise processes all authentication requests within your infrastructure with no external connectivity required. Duo&#8217;s Authentication Proxy forwards each authentication request to Duo&#8217;s cloud infrastructure, meaning on-premise Duo deployments require outbound internet access to Duo&#8217;s servers. For environments with network isolation requirements or air-gapped networks, this distinction is relevant. On hardware tokens, Protectimus offers four models for direct provisioning; Duo relies on third-party OATH-compatible devices. Duo provides tighter integration with the broader Cisco security stack \u2014 ISE, Umbrella, SecureX \u2014 for organizations standardized on Cisco&#8217;s platform ecosystem.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/details>\n\t\t\t\t\t\t<details id=\"e-n-accordion-item-6834\" class=\"e-n-accordion-item\" >\n\t\t\t\t<summary class=\"e-n-accordion-item-title\" data-accordion-index=\"5\" tabindex=\"-1\" aria-expanded=\"false\" aria-controls=\"e-n-accordion-item-6834\" >\n\t\t\t\t\t<span class='e-n-accordion-item-title-header'><h3 class=\"e-n-accordion-item-title-text\"> Is Protectimus MFA for Cisco AnyConnect compliant with PCI DSS, HIPAA, NIST? <\/h3><\/span>\n\t\t\t\t\t\t\t<span class='e-n-accordion-item-title-icon'>\n\t\t\t<span class='e-opened' ><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"24\" height=\"2\" viewBox=\"0 0 24 2\" fill=\"none\"><path d=\"M24 1L5.96046e-08 0.999999\" stroke=\"#111111\" stroke-width=\"2\"><\/path><\/svg><\/span>\n\t\t\t<span class='e-closed'><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M12 0V24\" stroke=\"#111111\" stroke-width=\"2\"><\/path><path d=\"M24 12L5.96046e-08 12\" stroke=\"#111111\" stroke-width=\"2\"><\/path><\/svg><\/span>\n\t\t<\/span>\n\n\t\t\t\t\t\t<\/summary>\n\t\t\t\t<div role=\"region\" aria-labelledby=\"e-n-accordion-item-6834\" class=\"elementor-element elementor-element-3e2c10e e-con-full e-flex e-con e-child\" data-id=\"3e2c10e\" data-element_type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-e1ee304 elementor-widget elementor-widget-text-editor\" data-id=\"e1ee304\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">Yes. The TOTP-via-RADIUS implementation satisfies MFA requirements across major compliance frameworks. PCI DSS v4.0 Requirement 8.4.2 mandates MFA for all remote access into the cardholder data environment \u2014 OATH TOTP via RADIUS satisfies this requirement. HIPAA Technical Safeguards require access controls for ePHI systems; MFA on VPN access is explicitly recommended in current HHS guidance. NIST SP 800-63B AAL2 requires a &#8220;something you have&#8221; authenticator \u2014 OATH TOTP satisfies AAL2; hardware tokens provide the strongest AAL2 assurance. SOC 2 CC6.1 (logical access controls) and ISO 27001 A.9.4.2 (secure log-on procedures) are both addressed by documented, enforced MFA on remote access. The on-premise deployment option is specifically relevant where compliance assessors evaluate authentication data residency and processing location.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/details>\n\t\t\t\t\t\t<details id=\"e-n-accordion-item-6835\" class=\"e-n-accordion-item\" >\n\t\t\t\t<summary class=\"e-n-accordion-item-title\" data-accordion-index=\"6\" tabindex=\"-1\" aria-expanded=\"false\" aria-controls=\"e-n-accordion-item-6835\" >\n\t\t\t\t\t<span class='e-n-accordion-item-title-header'><h3 class=\"e-n-accordion-item-title-text\"> Can MFA be applied only to specific Cisco AnyConnect user groups? <\/h3><\/span>\n\t\t\t\t\t\t\t<span class='e-n-accordion-item-title-icon'>\n\t\t\t<span class='e-opened' ><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"24\" height=\"2\" viewBox=\"0 0 24 2\" fill=\"none\"><path d=\"M24 1L5.96046e-08 0.999999\" stroke=\"#111111\" stroke-width=\"2\"><\/path><\/svg><\/span>\n\t\t\t<span class='e-closed'><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M12 0V24\" stroke=\"#111111\" stroke-width=\"2\"><\/path><path d=\"M24 12L5.96046e-08 12\" stroke=\"#111111\" stroke-width=\"2\"><\/path><\/svg><\/span>\n\t\t<\/span>\n\n\t\t\t\t\t\t<\/summary>\n\t\t\t\t<div role=\"region\" aria-labelledby=\"e-n-accordion-item-6835\" class=\"elementor-element elementor-element-67bff32 e-con-full e-flex e-con e-child\" data-id=\"67bff32\" data-element_type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-ed5da62 elementor-widget elementor-widget-text-editor\" data-id=\"ed5da62\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">Yes, through multiple configuration methods. At the ASA level, each connection profile (tunnel group) can be assigned a different AAA server group \u2014 allowing specific profiles to enforce RADIUS MFA while others use local or Active Directory authentication. Within the Protectimus platform, group-based policies allow MFA enforcement for specific user groups while different authentication policies apply to other groups. This flexibility supports phased rollouts \u2014 starting MFA enforcement with privileged accounts and IT staff before extending to all users.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/details>\n\t\t\t\t\t\t<details id=\"e-n-accordion-item-6836\" class=\"e-n-accordion-item\" >\n\t\t\t\t<summary class=\"e-n-accordion-item-title\" data-accordion-index=\"7\" tabindex=\"-1\" aria-expanded=\"false\" aria-controls=\"e-n-accordion-item-6836\" >\n\t\t\t\t\t<span class='e-n-accordion-item-title-header'><h3 class=\"e-n-accordion-item-title-text\"> What happens if a user loses their OTP token or smartphone? <\/h3><\/span>\n\t\t\t\t\t\t\t<span class='e-n-accordion-item-title-icon'>\n\t\t\t<span class='e-opened' ><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"24\" height=\"2\" viewBox=\"0 0 24 2\" fill=\"none\"><path d=\"M24 1L5.96046e-08 0.999999\" stroke=\"#111111\" stroke-width=\"2\"><\/path><\/svg><\/span>\n\t\t\t<span class='e-closed'><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M12 0V24\" stroke=\"#111111\" stroke-width=\"2\"><\/path><path d=\"M24 12L5.96046e-08 12\" stroke=\"#111111\" stroke-width=\"2\"><\/path><\/svg><\/span>\n\t\t<\/span>\n\n\t\t\t\t\t\t<\/summary>\n\t\t\t\t<div role=\"region\" aria-labelledby=\"e-n-accordion-item-6836\" class=\"elementor-element elementor-element-a41023b e-con-full e-flex e-con e-child\" data-id=\"a41023b\" data-element_type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-2a36881 elementor-widget elementor-widget-text-editor\" data-id=\"2a36881\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">Recovery depends on the authentication method. For Protectimus SMART OTP app users with cloud backup enabled, the user restores their token to a replacement device through the Protectimus self-service portal without administrator involvement. For hardware token loss, an administrator deactivates the lost token in the Protectimus admin console and provisions a replacement. In urgent scenarios, an administrator can temporarily disable MFA for a specific user account \u2014 this action is time-limited, requires administrator authorization, and is recorded in the Protectimus audit log. Activating the self-service portal and enabling cloud backup in the SMART app before rollout is strongly recommended to minimize help desk dependency for routine device replacement scenarios.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/details>\n\t\t\t\t\t\t<details id=\"e-n-accordion-item-6837\" class=\"e-n-accordion-item\" >\n\t\t\t\t<summary class=\"e-n-accordion-item-title\" data-accordion-index=\"8\" tabindex=\"-1\" aria-expanded=\"false\" aria-controls=\"e-n-accordion-item-6837\" >\n\t\t\t\t\t<span class='e-n-accordion-item-title-header'><h3 class=\"e-n-accordion-item-title-text\"> Does Protectimus support Cisco AnyConnect with on-premise deployment? <\/h3><\/span>\n\t\t\t\t\t\t\t<span class='e-n-accordion-item-title-icon'>\n\t\t\t<span class='e-opened' ><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"24\" height=\"2\" viewBox=\"0 0 24 2\" fill=\"none\"><path d=\"M24 1L5.96046e-08 0.999999\" stroke=\"#111111\" stroke-width=\"2\"><\/path><\/svg><\/span>\n\t\t\t<span class='e-closed'><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"24\" height=\"24\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M12 0V24\" stroke=\"#111111\" stroke-width=\"2\"><\/path><path d=\"M24 12L5.96046e-08 12\" stroke=\"#111111\" stroke-width=\"2\"><\/path><\/svg><\/span>\n\t\t<\/span>\n\n\t\t\t\t\t\t<\/summary>\n\t\t\t\t<div role=\"region\" aria-labelledby=\"e-n-accordion-item-6837\" class=\"elementor-element elementor-element-bd21f5f e-con-full e-flex e-con e-child\" data-id=\"bd21f5f\" data-element_type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-63d6fa9 elementor-widget elementor-widget-text-editor\" data-id=\"63d6fa9\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">Yes. The Protectimus On-Premise Platform installs on Linux or Windows servers within your infrastructure \u2014 physical hardware, on-premise VMware, or private cloud environments such as AWS or Azure). Minimum requirements: 2-core CPU, 8 GB RAM, 200 GB storage. For high availability, a minimum 3-node cluster with HAProxy load balancing is supported, with master-slave replication across nodes. No authentication data leaves your network at any point \u2014 OTP validation, user management, and audit logging all occur locally. The on-premise deployment is appropriate for organizations under HIPAA, PCI DSS cardholder data environment requirements, NIST 800-63B\/FISMA frameworks, or any environment where network isolation or data residency requirements constrain the use of external authentication services.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/details>\n\t\t\t\t\t<\/div>\n\t\t\t\t\t<script type=\"application\/ld+json\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@type\":\"FAQPage\",\"mainEntity\":[{\"@type\":\"Question\",\"name\":\"How do I enable MFA on Cisco AnyConnect?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Cisco AnyConnect does not have a built-in MFA engine \\u2014 second-factor enforcement requires configuring the ASA or Firepower device to use an external RADIUS server for AAA authentication. The process with Protectimus: install and configure the Protectimus RADIUS Server on a Linux or Windows host reachable from the ASA; create an AAA server group in ASDM or FMC pointing to the RADIUS Server IP on UDP 1816; assign that server group to the AnyConnect connection profile under Authentication; enroll users in the Protectimus platform with their token type. First authentication with MFA enforced is achievable within 2\\u20134 hours for a standard single-domain deployment. The full setup walkthrough is at protectimus.com\\\/guides\\\/cisco-anyconnect\\\/.\"}},{\"@type\":\"Question\",\"name\":\"Does Cisco AnyConnect support TOTP authenticator apps like Google Authenticator?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Cisco AnyConnect is TOTP-agnostic \\u2014 it passes credentials to the RADIUS server, which handles OTP validation. Any OATH TOTP-compatible app works, including Google Authenticator, Microsoft Authenticator, and Protectimus SMART OTP. The functional difference for enterprise deployments is in management capabilities. Protectimus SMART OTP supports cloud backup for self-service token recovery, PIN and biometric protection, and configurable time steps beyond the 30-second default. Google Authenticator and Microsoft Authenticator do not expose management APIs and do not support time step configuration, which limits their usefulness in large-scale deployments where token recovery and audit visibility matter.\"}},{\"@type\":\"Question\",\"name\":\"Can I use hardware OTP tokens with Cisco AnyConnect VPN?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Yes. Hardware OATH TOTP tokens integrate with AnyConnect via RADIUS identically to software tokens \\u2014 the user enters the 6-digit OTP displayed on the token as the second step after entering their VPN password and username. Protectimus offers four hardware token models: Slim NFC (programmable credit card form factor token with NFC support), TWO (key fob, no NFC), FLEX (programmable NFC hardware token in key fob format), and SHARK (SHA-256 hardware TOTP token in key fob format, not programmable). All use OATH TOTP standard, support 30 time steps (or 60-second optionally), and are managed through the Protectimus admin console. Hardware tokens are operationally appropriate for environments where mobile devices are prohibited, for field workers without reliable smartphone access, or for high-security roles requiring a physical authenticator separate from the user&#8217;s primary device.\"}},{\"@type\":\"Question\",\"name\":\"How does Protectimus MFA for Cisco AnyConnect differ from Cisco Duo?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Both integrate via RADIUS and support TOTP-based second factors for AnyConnect. The primary architectural difference is in on-premise deployment: Protectimus On-Premise processes all authentication requests within your infrastructure with no external connectivity required. Duo&#8217;s Authentication Proxy forwards each authentication request to Duo&#8217;s cloud infrastructure, meaning on-premise Duo deployments require outbound internet access to Duo&#8217;s servers. For environments with network isolation requirements or air-gapped networks, this distinction is relevant. On hardware tokens, Protectimus offers four models for direct provisioning; Duo relies on third-party OATH-compatible devices. Duo provides tighter integration with the broader Cisco security stack \\u2014 ISE, Umbrella, SecureX \\u2014 for organizations standardized on Cisco&#8217;s platform ecosystem.\"}},{\"@type\":\"Question\",\"name\":\"Is Protectimus MFA for Cisco AnyConnect compliant with PCI DSS, HIPAA, NIST?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Yes. The TOTP-via-RADIUS implementation satisfies MFA requirements across major compliance frameworks. PCI DSS v4.0 Requirement 8.4.2 mandates MFA for all remote access into the cardholder data environment \\u2014 OATH TOTP via RADIUS satisfies this requirement. HIPAA Technical Safeguards require access controls for ePHI systems; MFA on VPN access is explicitly recommended in current HHS guidance. NIST SP 800-63B AAL2 requires a &#8220;something you have&#8221; authenticator \\u2014 OATH TOTP satisfies AAL2; hardware tokens provide the strongest AAL2 assurance. SOC 2 CC6.1 (logical access controls) and ISO 27001 A.9.4.2 (secure log-on procedures) are both addressed by documented, enforced MFA on remote access. The on-premise deployment option is specifically relevant where compliance assessors evaluate authentication data residency and processing location.\"}},{\"@type\":\"Question\",\"name\":\"Can MFA be applied only to specific Cisco AnyConnect user groups?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Yes, through multiple configuration methods. At the ASA level, each connection profile (tunnel group) can be assigned a different AAA server group \\u2014 allowing specific profiles to enforce RADIUS MFA while others use local or Active Directory authentication. Within the Protectimus platform, group-based policies allow MFA enforcement for specific user groups while different authentication policies apply to other groups. This flexibility supports phased rollouts \\u2014 starting MFA enforcement with privileged accounts and IT staff before extending to all users.\"}},{\"@type\":\"Question\",\"name\":\"What happens if a user loses their OTP token or smartphone?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Recovery depends on the authentication method. For Protectimus SMART OTP app users with cloud backup enabled, the user restores their token to a replacement device through the Protectimus self-service portal without administrator involvement. For hardware token loss, an administrator deactivates the lost token in the Protectimus admin console and provisions a replacement. In urgent scenarios, an administrator can temporarily disable MFA for a specific user account \\u2014 this action is time-limited, requires administrator authorization, and is recorded in the Protectimus audit log. Activating the self-service portal and enabling cloud backup in the SMART app before rollout is strongly recommended to minimize help desk dependency for routine device replacement scenarios.\"}},{\"@type\":\"Question\",\"name\":\"Does Protectimus support Cisco AnyConnect with on-premise deployment?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Yes. The Protectimus On-Premise Platform installs on Linux or Windows servers within your infrastructure \\u2014 physical hardware, on-premise VMware, or private cloud environments such as AWS or Azure). Minimum requirements: 2-core CPU, 8 GB RAM, 200 GB storage. For high availability, a minimum 3-node cluster with HAProxy load balancing is supported, with master-slave replication across nodes. No authentication data leaves your network at any point \\u2014 OTP validation, user management, and audit logging all occur locally. The on-premise deployment is appropriate for organizations under HIPAA, PCI DSS cardholder data environment requirements, NIST 800-63B\\\/FISMA frameworks, or any environment where network isolation or data residency requirements constrain the use of external authentication services.\"}}]}<\/script>\n\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-7534fb4 elementor-widget elementor-widget-html\" data-id=\"7534fb4\" data-element_type=\"widget\" data-widget_type=\"html.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<script type=\"application\/ld+json\">\r\n{\r\n  \"@context\": \"https:\/\/schema.org\",\r\n  \"@type\": \"HowTo\",\r\n  \"name\": \"How to Set Up MFA for Cisco AnyConnect with Protectimus\",\r\n  \"description\": \"Step-by-step setup of multi-factor authentication for Cisco AnyConnect VPN using Protectimus via RADIUS: platform setup, RADIUS Server installation and configuration, ASA\/Firepower AAA configuration, AnyConnect connection profile, and user enrollment. First authentication with MFA enforced is achievable within 2\u20134 hours for a standard single-domain deployment.\",\r\n  \"totalTime\": \"PT4H\",\r\n  \"estimatedCost\": {\r\n    \"@type\": \"MonetaryAmount\",\r\n    \"currency\": \"USD\",\r\n    \"value\": \"0\"\r\n  },\r\n  \"supply\": [\r\n    {\r\n      \"@type\": \"HowToSupply\",\r\n      \"name\": \"Cisco ASA or Firepower Threat Defense appliance with AnyConnect VPN configured\"\r\n    },\r\n    {\r\n      \"@type\": \"HowToSupply\",\r\n      \"name\": \"Active Directory, LDAP, or local user directory for primary credential validation\"\r\n    },\r\n    {\r\n      \"@type\": \"HowToSupply\",\r\n      \"name\": \"Linux or Windows server for the Protectimus RADIUS Server (or for the full On-Premise Platform)\"\r\n    },\r\n    {\r\n      \"@type\": \"HowToSupply\",\r\n      \"name\": \"Network connectivity: UDP 1812\/1813 between ASA and RADIUS Server\"\r\n    },\r\n    {\r\n      \"@type\": \"HowToSupply\",\r\n      \"name\": \"Administrative access to Cisco ASDM or Firepower Management Center (FMC)\"\r\n    }\r\n  ],\r\n  \"tool\": [\r\n    {\r\n      \"@type\": \"HowToTool\",\r\n      \"name\": \"Protectimus Cloud Service or Protectimus On-Premise Platform\"\r\n    },\r\n    {\r\n      \"@type\": \"HowToTool\",\r\n      \"name\": \"Protectimus RADIUS Server\"\r\n    },\r\n    {\r\n      \"@type\": \"HowToTool\",\r\n      \"name\": \"Cisco ASDM or Firepower Management Center (FMC)\"\r\n    },\r\n    {\r\n      \"@type\": \"HowToTool\",\r\n      \"name\": \"Protectimus SMART OTP app, hardware token (Slim NFC, TWO, FLEX, SHARK), or Protectimus BOT\"\r\n    }\r\n  ],\r\n  \"step\": [\r\n    {\r\n      \"@type\": \"HowToStep\",\r\n      \"position\": 1,\r\n      \"name\": \"Set up the Protectimus platform or cloud service\",\r\n      \"text\": \"Register at protectimus.com for the cloud service, or install the Protectimus On-Premise Platform on your infrastructure. In the platform, create a Resource representing the AnyConnect VPN integration and note your API URL, Login, and API Key \u2014 they are required for the RADIUS Server configuration.\",\r\n      \"url\": \"https:\/\/protectimus.com\/mfa-for-cisco-anyconnect\/#step-1\",\r\n      \"image\": \"https:\/\/protectimus.com\/wp-content\/uploads\/2024\/07\/1.svg\"\r\n    },\r\n    {\r\n      \"@type\": \"HowToStep\",\r\n      \"position\": 2,\r\n      \"name\": \"Install and configure the Protectimus RADIUS Server\",\r\n      \"text\": \"Install the Protectimus RADIUS Server on a Linux host (recommended) or Windows server accessible from the ASA. Edit the radius.yml configuration file with your Protectimus API credentials, RADIUS shared secret, ASA client IP, LDAP\/AD connection parameters, and listening port (UDP 1812). Start the RADIUS service and confirm it is listening. Verify firewall rules allow UDP 1812 and 1813 from the ASA to the RADIUS Server.\",\r\n      \"url\": \"https:\/\/protectimus.com\/mfa-for-cisco-anyconnect\/#step-2\",\r\n      \"image\": \"https:\/\/protectimus.com\/wp-content\/uploads\/2024\/07\/2.svg\"\r\n    },\r\n    {\r\n      \"@type\": \"HowToStep\",\r\n      \"position\": 3,\r\n      \"name\": \"Configure the Cisco ASA AAA Server Group\",\r\n      \"text\": \"In Cisco ASDM, navigate to Configuration \u2192 Remote Access VPN \u2192 AAA\/Local Users \u2192 AAA Server Groups. Add a new AAA Server Group named 'protectimus' with Protocol set to RADIUS. Set Accounting Mode to Single, Reactivation Mode to Depletion, Dead Time 10, Max Failed Attempts 3. Add the Protectimus RADIUS Server with its IP, authentication port 1816, accounting port 1815, timeout 10s, and the matching shared secret. For Cisco Firepower via FMC, the equivalent path is Objects \u2192 Object Management \u2192 RADIUS Server Group \u2192 Add Group with identical parameters.\",\r\n      \"url\": \"https:\/\/protectimus.com\/mfa-for-cisco-anyconnect\/#step-3\",\r\n      \"image\": \"https:\/\/protectimus.com\/wp-content\/uploads\/2024\/07\/3.svg\"\r\n    },\r\n    {\r\n      \"@type\": \"HowToStep\",\r\n      \"position\": 4,\r\n      \"name\": \"Configure the AnyConnect VPN connection\",\r\n      \"text\": \"In Cisco ASDM, open Wizards \u2192 VPN Wizards \u2192 AnyConnect VPN Wizard. Configure the connection profile name, VPN access interface, enable SSL and IPsec, and select or generate a device certificate. Add AnyConnect client image (.pkg) files. In the Authentication Methods step, select the 'protectimus' AAA Server Group. In the SAML Configuration step, set Authentication Method to AAA, select the protectimus AAA Server Group, leave SAML Server as None. Configure the client IP address pool and DNS settings, enable 'Exempt VPN traffic from network address translation' and 'Allow Web Launch', then review and finish.\",\r\n      \"url\": \"https:\/\/protectimus.com\/mfa-for-cisco-anyconnect\/#step-4\",\r\n      \"image\": \"https:\/\/protectimus.com\/wp-content\/uploads\/2024\/07\/4.svg\"\r\n    },\r\n    {\r\n      \"@type\": \"HowToStep\",\r\n      \"position\": 5,\r\n      \"name\": \"Enroll users and assign OTP tokens\",\r\n      \"text\": \"Add users to the Protectimus platform manually, via CSV import, or via LDAP sync with Active Directory. Assign tokens (Protectimus SMART OTP app, hardware tokens, or chatbot OTP) to users manually, or activate the Self-Service Portal so users can enroll and manage their own tokens. Run authentication tests with a pilot group before broader rollout.\",\r\n      \"url\": \"https:\/\/protectimus.com\/mfa-for-cisco-anyconnect\/#step-5\",\r\n      \"image\": \"https:\/\/protectimus.com\/wp-content\/uploads\/2024\/07\/5.svg\"\r\n    }\r\n  ]\r\n}\r\n<\/script>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-fe2c5b0 padded e-flex e-con-boxed e-con e-parent\" data-id=\"fe2c5b0\" data-element_type=\"container\" id=\"conclusion\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t<div class=\"elementor-element elementor-element-e4ec716 e-con-full e-flex e-con e-child\" data-id=\"e4ec716\" data-element_type=\"container\">\n\t\t<div class=\"elementor-element elementor-element-35746bf e-con-full e-flex e-con e-child\" data-id=\"35746bf\" data-element_type=\"container\">\n\t\t<div class=\"elementor-element elementor-element-489bd70 e-con-full e-flex e-con e-child\" data-id=\"489bd70\" data-element_type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-10cf0aa elementor-widget elementor-widget-heading\" data-id=\"10cf0aa\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Conclusion <\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-6c0eeb4 elementor-widget elementor-widget-text-editor\" data-id=\"6c0eeb4\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span style=\"font-weight: 400;\">Cisco AnyConnect is a reliable remote access VPN client. Its security in 2026 depends entirely on what authentication controls the ASA or Firepower device enforces before granting a tunnel. Password-only authentication on an internet-facing VPN gateway is a documented initial access vector for ransomware operators \u2014 and one that scales efficiently with automated credential testing tools.<\/span><\/p><p><span style=\"font-weight: 400;\">The RADIUS integration path is technically straightforward. The Protectimus RADIUS Server installs in hours, the ASA AAA configuration requires a ten-minute ASDM walkthrough, and the result is enforced <\/span><b>two-factor authentication on Cisco AnyConnect<\/b><span style=\"font-weight: 400;\"> for every user across every connection profile \u2014 without changes to the AnyConnect client, the VPN tunnel configuration, or the existing directory infrastructure.<\/span><\/p><p><span style=\"font-weight: 400;\">Key decisions before deployment: cloud versus on-premise (data sovereignty and network isolation requirements determine this), authentication method (TOTP app for most environments, hardware tokens where mobile devices are restricted), and rollout sequence (phased by connection profile or user group to manage enrollment load and support impact).<\/span><\/p><p><span style=\"font-weight: 400;\">For organizations under PCI DSS, HIPAA, NIST 800-63B, or operating environments with network isolation requirements, the on-premise deployment is the architecturally appropriate choice. For standard enterprise deployments without regulatory data residency constraints, the cloud deployment provides a faster path to enforced <\/span><b>Cisco AnyConnect MFA<\/b><span style=\"font-weight: 400;\"> with lower operational overhead.<\/span><\/p><p><b>Ready to add MFA to your Cisco AnyConnect deployment?<\/b> <a href=\"https:\/\/www.protectimus.com\/uk\/contact\/\"><span style=\"font-weight: 400;\">Contact Protectimus<\/span><\/a><span style=\"font-weight: 400;\"> to discuss your ASA or Firepower environment, confirm RADIUS compatibility with your existing AAA infrastructure, and request a technical demo.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-a3f81ec e-con-full contact-us-bg e-flex e-con e-child\" data-id=\"a3f81ec\" data-element_type=\"container\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t\t<div class=\"elementor-element elementor-element-fb3d121 elementor-widget elementor-widget-shortcode\" data-id=\"fb3d121\" data-element_type=\"widget\" data-widget_type=\"shortcode.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-shortcode\">\t\t<div data-elementor-type=\"container\" data-elementor-id=\"14849\" class=\"elementor elementor-14849 elementor-3585\" data-elementor-post-type=\"elementor_library\">\n\t\t\t\t<div class=\"elementor-element elementor-element-3a82e0d1 e-con-full e-flex e-con e-child\" data-id=\"3a82e0d1\" data-element_type=\"container\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t\t<div class=\"elementor-element elementor-element-b4de036 elementor-widget elementor-widget-image\" data-id=\"b4de036\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"370\" height=\"370\" src=\"https:\/\/www.protectimus.com\/wp-content\/uploads\/2024\/05\/contact-seal.svg\" class=\"attachment-full size-full wp-image-5869\" alt=\"Send Us A Message icon\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-1bc85d61 elementor-widget elementor-widget-heading\" data-id=\"1bc85d61\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">\u041d\u0430\u0434\u0456\u0448\u043b\u0456\u0442\u044c \u043d\u0430\u043c \u043f\u043e\u0432\u0456\u0434\u043e\u043c\u043b\u0435\u043d\u043d\u044f<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-cf09046 elementor-widget elementor-widget-shortcode\" data-id=\"cf09046\" data-element_type=\"widget\" data-widget_type=\"shortcode.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-shortcode\">\n<div class=\"wpcf7 no-js\" id=\"wpcf7-f8427-o1\" lang=\"uk\" dir=\"ltr\" data-wpcf7-id=\"8427\">\n<div class=\"screen-reader-response\"><p role=\"status\" aria-live=\"polite\" aria-atomic=\"true\"><\/p> <ul><\/ul><\/div>\n<form action=\"\/uk\/wp-json\/wp\/v2\/pages\/16862#wpcf7-f8427-o1\" method=\"post\" class=\"wpcf7-form init\" aria-label=\"\u041a\u043e\u043d\u0442\u0430\u043a\u0442\u043d\u0430 \u0444\u043e\u0440\u043c\u0430\" novalidate=\"novalidate\" data-status=\"init\">\n<fieldset class=\"hidden-fields-container\"><input type=\"hidden\" name=\"_wpcf7\" value=\"8427\" \/><input type=\"hidden\" name=\"_wpcf7_version\" value=\"6.1.2\" \/><input type=\"hidden\" name=\"_wpcf7_locale\" value=\"uk\" \/><input type=\"hidden\" name=\"_wpcf7_unit_tag\" value=\"wpcf7-f8427-o1\" \/><input type=\"hidden\" name=\"_wpcf7_container_post\" value=\"0\" \/><input type=\"hidden\" name=\"_wpcf7_posted_data_hash\" value=\"\" \/>\n<\/fieldset>\n<div class=\"protectimus-form\">\n\n<div class=\"row\">\n    <div class=\"col\">\n        <span class=\"wpcf7-form-control-wrap\" data-name=\"uname\"><input size=\"40\" maxlength=\"400\" class=\"wpcf7-form-control wpcf7-text wpcf7-validates-as-required\" aria-required=\"true\" aria-invalid=\"false\" placeholder=\"\u0406\u043c&#039;\u044f\" value=\"\" type=\"text\" name=\"uname\" \/><\/span>\n    <\/div>\n<\/div>\n\n<div class=\"row\">\n    <div class=\"col\">\n        <span class=\"wpcf7-form-control-wrap\" data-name=\"email\"><input size=\"40\" maxlength=\"400\" class=\"wpcf7-form-control wpcf7-email wpcf7-validates-as-required wpcf7-text wpcf7-validates-as-email\" aria-required=\"true\" aria-invalid=\"false\" placeholder=\"\u0415\u043b\u0435\u043a\u0442\u0440\u043e\u043d\u043d\u0430 \u043f\u043e\u0448\u0442\u0430\" value=\"\" type=\"email\" name=\"email\" \/><\/span>\n    <\/div>\n<\/div>\n\n<div class=\"row\">\n    <div class=\"col\">\n        <span class=\"wpcf7-form-control-wrap\" data-name=\"subject\"><input size=\"40\" maxlength=\"400\" class=\"wpcf7-form-control wpcf7-text wpcf7-validates-as-required\" aria-required=\"true\" aria-invalid=\"false\" placeholder=\"\u0422\u0435\u043c\u0430\" value=\"\" type=\"text\" name=\"subject\" \/><\/span>\n    <\/div>\n<\/div>\n\n<div class=\"row\">\n    <div class=\"col\">\n        <span class=\"wpcf7-form-control-wrap\" data-name=\"message\"><textarea cols=\"40\" rows=\"1\" maxlength=\"2000\" class=\"wpcf7-form-control wpcf7-textarea wpcf7-validates-as-required\" aria-required=\"true\" aria-invalid=\"false\" placeholder=\"\u041f\u043e\u0432\u0456\u0434\u043e\u043c\u043b\u0435\u043d\u043d\u044f\" name=\"message\"><\/textarea><\/span>\n    <\/div>\n<\/div>\n\n<div class=\"row\">\n    <div class=\"col mb-2\">\n        <input class=\"wpcf7-form-control wpcf7-submit has-spinner\" type=\"submit\" value=\"\u041d\u0430\u0434\u0456\u0441\u043b\u0430\u0442\u0438\" \/>\n    <\/div>\n<\/div>\n\n<\/div><div class=\"wpcf7-response-output\" aria-hidden=\"true\"><\/div>\n<\/form>\n<\/div>\n<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-2b9546a e-grid e-con-full equal-height equal-height-mob e-con e-child\" data-id=\"2b9546a\" data-element_type=\"container\">\n\t\t<a target=\"_blank\" target=\"_blank\" class=\"elementor-element elementor-element-cd07253 e-con-full four-link e-flex e-con e-child\" data-id=\"cd07253\" data-element_type=\"container\" href=\"https:\/\/service.protectimus.com\/en\/register\">\n\t\t\t\t<div class=\"elementor-element elementor-element-3d2527b eq-height elementor-widget elementor-widget-heading\" data-id=\"3d2527b\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-heading-title elementor-size-default\">Start free trial<\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-0bdcfdb elementor-widget elementor-widget-image\" data-id=\"0bdcfdb\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"28\" height=\"26\" src=\"https:\/\/www.protectimus.com\/wp-content\/uploads\/2024\/02\/icon-arrow-big.svg\" class=\"attachment-full size-full wp-image-5702\" alt=\"Arrow icon\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/a>\n\t\t<a class=\"elementor-element elementor-element-cd18ec0 e-con-full four-link e-flex e-con e-child\" data-id=\"cd18ec0\" data-element_type=\"container\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\" href=\"https:\/\/www.protectimus.com\/uk\/contact-us\/\">\n\t\t\t\t<div class=\"elementor-element elementor-element-089ffcb eq-height elementor-widget elementor-widget-heading\" data-id=\"089ffcb\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-heading-title elementor-size-default\">Contact sales<\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-4909302 elementor-widget elementor-widget-image\" data-id=\"4909302\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"28\" height=\"26\" src=\"https:\/\/www.protectimus.com\/wp-content\/uploads\/2024\/02\/icon-arrow-big.svg\" class=\"attachment-full size-full wp-image-5702\" alt=\"Arrow icon\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/a>\n\t\t<a class=\"elementor-element elementor-element-60a0ab3 e-con-full four-link e-flex e-con e-child\" data-id=\"60a0ab3\" data-element_type=\"container\" href=\"https:\/\/www.protectimus.com\/uk\/pricing\/\">\n\t\t\t\t<div class=\"elementor-element elementor-element-caf7329 eq-height elementor-widget elementor-widget-heading\" data-id=\"caf7329\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-heading-title elementor-size-default\">Pricing details<\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-4610902 elementor-widget elementor-widget-image\" data-id=\"4610902\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"28\" height=\"26\" src=\"https:\/\/www.protectimus.com\/wp-content\/uploads\/2024\/02\/icon-arrow-big.svg\" class=\"attachment-full size-full wp-image-5702\" alt=\"Arrow icon\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/a>\n\t\t<a class=\"elementor-element elementor-element-a0fbc4a e-con-full four-link e-flex e-con e-child\" data-id=\"a0fbc4a\" data-element_type=\"container\" href=\"https:\/\/www.protectimus.com\/uk\/guides\/saas-service\/\">\n\t\t\t\t<div class=\"elementor-element elementor-element-78353c4 eq-height elementor-widget elementor-widget-heading\" data-id=\"78353c4\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<div class=\"elementor-heading-title elementor-size-default\">Integration guides<\/div>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-099691d elementor-widget elementor-widget-image\" data-id=\"099691d\" data-element_type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"28\" height=\"26\" src=\"https:\/\/www.protectimus.com\/wp-content\/uploads\/2024\/02\/icon-arrow-big.svg\" class=\"attachment-full size-full wp-image-5702\" alt=\"Arrow icon\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>MFA for Cisco AnyConnect: Complete Guide to Securing VPN Access 2026 Cisco AnyConnect handles remote access for millions of enterprise users \u2014 and it has no native second-factor enforcement. The client passes credentials to whatever authentication backend the ASA or Firepower device is configured to use. If that backend validates only a username and password, [&hellip;]<\/p>\n","protected":false},"author":5,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"class_list":["post-16862","page","type-page","status-publish","hentry"],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.protectimus.com\/uk\/wp-json\/wp\/v2\/pages\/16862","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.protectimus.com\/uk\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.protectimus.com\/uk\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.protectimus.com\/uk\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/www.protectimus.com\/uk\/wp-json\/wp\/v2\/comments?post=16862"}],"version-history":[{"count":64,"href":"https:\/\/www.protectimus.com\/uk\/wp-json\/wp\/v2\/pages\/16862\/revisions"}],"predecessor-version":[{"id":17095,"href":"https:\/\/www.protectimus.com\/uk\/wp-json\/wp\/v2\/pages\/16862\/revisions\/17095"}],"wp:attachment":[{"href":"https:\/\/www.protectimus.com\/uk\/wp-json\/wp\/v2\/media?parent=16862"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}