Configuring the connection to the BlackBerry 2FA server on a Cisco ASA
Series VPN gateway
BlackBerry 2FA
server on a Cisco ASA
Series
VPN gatewayIf you are using a
Cisco ASA
Series
VPN gateway, you can create the VPN profile using the information
below. For detailed instructions on how to configure the VPN profile, visit http://www.cisco.com to read the
Cisco ASA
Series
documentation.When you create the profile, you must set the following options to
support
BlackBerry 2FA
: - For eachBlackBerry 2FAserver in your environment, create a RADIUS AAA Server Group with the following options:
- IP address or FQDN of the computer that hosts theBlackBerry 2FAserver
- Timeout between 60 and 90 seconds for the connection between the VPN gateway and theBlackBerry 2FAserver
- Unique shared secret
- Authentication port set to 1812
- MS-CHAP v2 compatible
- For the connection between the VPN client on user’s computers and the VPN gateway, set the timeout between 30 and 60 seconds. You must configure the timeout in theCisco AnyConnectVPN client profile file (an XML file) that must be installed on users' computers.
- Password management option, if you are configuring the profile to support MS-CHAP v2 authentication
You must complete the following actions to finish the profile creation
process:
- Enable the VPN tunnel payload encapsulation protocol (for example, the IPSEC-IKE v2 protocol)
- All the commands that are required for the associated VPN policy group
- All the commands that are required for the associatedCisco AnyConnectVPN client profile and the creation of the XML file itself
- All the commands that are required for the associated VPN tunnel group
You do not need to configure additional certificate authentication.
When you configure VPN gateway connectivity in the
BlackBerry 2FA
server, you must provide the
RADIUS shared secret that you create in the VPN profile.