Remote VPN - two-factor authentication with Cisco ASA + OpenLDAP

certificate vpn ldap cisco cisco-asa

Isn't phone-based auth an option? I prefer that because it's much less of a maintenance burden than certs. For example, to allow someone new to use VPN, you just fill his/her phone number in LDAP, then maybe add him/her to the VPN-enabled users group (if you do that kind of filtering at all), and that's it. Whereas with certs you have to generate a cert, then give it to the user, and then the user needs to take care of it. OTOH a cellphone is pretty much natural for everyone to have.

So I went with phone-based two factor authentication, maybe it'll also help you in some way.

Cisco AnyConnect with Active Directory and Azure Multi-Factor Auth

It's rather easy to do, you can do it all from the GUI. But it's based on AD. Though MSAF supposedly supports LDAP as well, so it should be doable for you, too. Only caveat is that Azure phone calls cost money, either $1.4/user/month or $1.4/10 calls. I'd say it's quite negligible.

Related

how to monitor select processes on centos 5.x host?
Reduce number of Apache processes
Most common Unix/Linux shell
Reporting Penetration Attempts to My Server
Can I safely create new Virtual Machines from copies of VHD without sysprep?
Only allow owner to delete file in shared network drive Windows
Why am I only achieving 2.5Gbps over a 10Gbe direct connection between 2 machines?
RAM disk and physical RAID
no disk io but iowait very high
filtering event logs with specific TIME range of ANY day
Validating GPG key signature authenticity
Restoring a Cisco router config using a config file