Skip to main content
Skip table of contents

Set up Nexus OTP as 2FA for Cisco ASA

This article describes how to enable Nexus OTP in Smart ID Digital Access component as two-factor authentication method for Cisco ASA, to replace static passwords. 

Nexus OTP can be either Nexus TruID Synchronized or Smart ID Mobile App OTP, or any other OATH-based mobile OTP application, such as Google Authenticator or Microsoft Authenticator. 

With the setup described in this article, Digital Access functions as a RADIUS server and Cisco ASA as a RADIUS client. Nexus TruID is used as an example below and is available for iOS, Android, and Windows.

Network schematic for Nexus OTP authentication

Network schematic with Nexus TruID Synchronized as an example.


  1. The end user starts the TruID client and enters the PIN in TruID to generate an OTP.
  2. Cisco ASA requests the end user to enter username, password and OTP.
  3. The end user enters username, domain password and OTP.
  4. The domain credentials are validated by the Active Directory.
  5. The OTP authentication request is relayed to Digital Access Authentication Server via RADIUS.
  6. The authentication server validates the OTP with the associated TruID token and PIN from the user database.
  7. Upon successful validation, the authentication server responds with successful authentication to Cisco ASA.

Cisco ASA provides access to the end user.

  Make settings in Digital Access

Log in to Digital Access Admin
  1. Log in to Digital Access Admin with an administrator account.
Add Cisco ASA as a RADIUS client

In step 3, enter the IP Address of the RADIUS Client (Cisco ASA) and the Shared Secret Key.

  1. In Digital Access Admin, go to Manage System.
  2. Click RADIUS Configuration > Add RADIUS Client...
  3. Enter General Settings and Attributes. Click the ?-sign for help.
  4. Click Save.
Enable authentication method

Nexus TruID Synchronized is used as an example. Other Nexus OTP authentication methods are enabled in a similar way.

  • In step 3, select Nexus Synchronized as method.
  • When the default RADIUS replies are shown, click Next. You can also add your custom RADIUS replies or modify the default replies if required.

To add a new authentication method:

  1. In Digital Access Admin, go to Manage System.
  2. Click Authentication Methods.
  3. Click Add authentication method..., select the desired method and click Next.

  4. Enter Display Name, a unique name used in the system to identify the authentication method.
  5. Select if the method shall be enabled and if it shall be visible in authentication menu.
  6. Register Authentication Methods Server when applicable.
  7. Make other configurations as needed for the selected authentication method. For more information , click the ?-sign. Click Next.
  8. If needed, make settings in RADIUS Replies and Extended Properties.
  9. Click Next and Finish.
  10. Click Publish.

Make settings in Cisco ASA

Add Digital Access as RADIUS Server
  1. Log in to Cisco ASDM.
  2. Go to Configuration and Remote Access VPN, expand AAA/Local Users and click AAA Server Groups.

  3. In AAA Server Groups click Add, enter a name for the Server Group and select RADIUS as Protocol. Click OK to save.

  4. Click Add in the Servers in the Selected Group section. Select Interface Name, enter Server Name or IP Address, Server Authentication Port (check port number and IP address for the authentication method in your Digital Access configuration) and Shared Secret Key. Click OK to save.

  5. Expand Clientless SSL VPN Access. Click Connection Profiles and then click Add (below Connection Profiles) and enter the parameters according to the picture below. Enable Login Page Setting, by checking Allow user to select connection profile, identified by its alias, on the logon page.

  6. Enter a name for the Connection Profile, add the correct AAA Server Group to it.

  7. Expand the Advanced tree and click Clientless SSL VPN (click Yes on the warning about DNS name if displayed) and click Add below Connection Aliases. Enter Alias name and click OK to save the Alias. Finally click OK to save the Clientless SSL VPN Connection Profile.

  8. Click Apply to publish the configuration.

Examples: Log in to Cisco ASA

The following examples show how an end user logs in, using Nexus TruID synchronized. Other Nexus OTP methods can be used in a similar way. 

Example: Use Nexus TruID as 2FA to log in to Cisco ASA
  1. Start Nexus TruID that is installed on your laptop or smartphone - Enter your PIN to generate an OTP.

  2. Enter Key-In domain login id and password along with Nexus TruID OTP.

Example: Use Nexus TruID as 2FA with Cisco IPSec client
  1. Start Nexus TruID that is installed on your laptop or smartphone - Enter your PIN to generate an OTP.

  2. Enter Key-In domain login id and password along with Nexus TruID OTP.

Related information

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.