On Jan 10, 2017, at 1:15 AM, Stefan Schlesinger <sts@ono.at> wrote:
I was successfully able to test Cisco Anyconnect with Access-Challenge responses. The client will automatically bring up a new dialog where one is able to enter the challenge. The challenge will be send in a second request in the same radius session, again in the User-Password field.
That's better.
I still have one more problem: my authentication backend (Keycloak) requires me to verify username, password and the token at the same time. I was thinking about writing a Perl authenticator for OpenID Connect with OTP tokens, but therefore I’d need to find a way to cache the User-Password field from the initial Access-Request, to verify it together with the provided OTP token from the Access-Challenge response.
In v3.0.12, cache the password in session-state. if (!&session-state:User-Password) { update session-state { User-Password := &request:User-Password } } else { # it's the second time around... } Alan DeKok.