On 07 Jan 2017, at 12:58, Stefan Schlesinger <sts@ono.at> wrote:
On 07 Jan 2017, at 12:08, Muenz, Michael <m.muenz@spam-fetish.org> wrote: Am 05.01.2017 um 23:52 schrieb Stefan Schlesinger: Do you really want to use the econdary password option?
Not necessarily, I will try to find out whether the ASA supports the Access-Challenge pattern as well. Its just one of the ways Duo has implemented this on the ASA side.
I was successfully able to test Cisco Anyconnect with Access-Challenge responses. The client will automatically bring up a new dialog where one is able to enter the challenge. The challenge will be send in a second request in the same radius session, again in the User-Password field. I still have one more problem: my authentication backend (Keycloak) requires me to verify username, password and the token at the same time. I was thinking about writing a Perl authenticator for OpenID Connect with OTP tokens, but therefore I’d need to find a way to cache the User-Password field from the initial Access-Request, to verify it together with the provided OTP token from the Access-Challenge response. Any hints? Best, Stefan