Cisco Anyconnect 2FA

Stefan Schlesinger sts at ono.at
Thu Jan 5 23:52:18 CET 2017 

Hi,

we are trying to implement 2FA for Cisco ASA Anyconnect VPN clients.

The ASA supports a “secondary password” input, so the dialog asks for a username, a password and another password. The ASA is going to fire off an Access-Request for each of the passwords. The first one with the users password and if successful, a subsequent request, which should contain the one time authentication token.

We couldn’t figure out yet how to authenticate the subsequent request against a different authentication module, especially because they both look the same, besides the Request Id.

Can anyone help out how to handle the latter different from the first request in an unlang config?

Thanks for your help!

Stefan

rad_recv: Access-Request packet from host 10.30.9.1 port 8272, id=66, length=611
  User-Name = "admin"
  User-Password = “supersecret"
  NAS-Port = 491520
  Called-Station-Id = "1.2.3.4"
  Calling-Station-Id = "2.3.4.5"
  NAS-Port-Type = Virtual
  Tunnel-Client-Endpoint:0 = "2.3.4.5"
  Cisco-AVPair = "mdm-tlv=device-platform=mac-intel"
  Cisco-AVPair = "mdm-tlv=device-type=MacBookPro11,1"
  Cisco-AVPair = "mdm-tlv=device-mac=aa-aa-aa-aa-aa-aa"
  Cisco-AVPair = "mdm-tlv=device-mac=bb-bb-bb-bb-bb-bb"
  Cisco-AVPair = "mdm-tlv=device-platform-version=10.11.6"
  Cisco-AVPair = "mdm-tlv=ac-user-agent=AnyConnect"
  Cisco-AVPair = "mdm-tlv=device-uid=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
  NAS-IP-Address = 10.30.9.1
  Cisco-AVPair = "audit-session-id=c0a800000000000000000000"
  Cisco-AVPair = "ip:source-ip=2.3.4.5"
  Vendor-3076-Attr-146 = 0x43454e5452414c
  Vendor-3076-Attr-150 = 0x00000002
  Cisco-AVPair = "coa-push=true"

rad_recv: Access-Request packet from host 10.30.9.1 port 8272, id=67, length=611
  User-Name = "admin"
  User-Password = “2fa-otp-token"
  NAS-Port = 491520
  Called-Station-Id = "1.2.3.4"
  Calling-Station-Id = "2.3.4.5"
  NAS-Port-Type = Virtual
  Tunnel-Client-Endpoint:0 = "2.3.4.5"
  Cisco-AVPair = "mdm-tlv=device-platform=mac-intel"
  Cisco-AVPair = "mdm-tlv=device-type=MacBookPro11,1"
  Cisco-AVPair = "mdm-tlv=device-mac=aa-aa-aa-aa-aa-aa"
  Cisco-AVPair = "mdm-tlv=device-mac=bb-bb-bb-bb-bb-bb"
  Cisco-AVPair = "mdm-tlv=device-platform-version=10.11.6"
  Cisco-AVPair = "mdm-tlv=ac-user-agent=AnyConnect"
    Cisco-AVPair = "mdm-tlv=device-uid=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
  NAS-IP-Address = 10.30.9.1
  Cisco-AVPair = "audit-session-id=c0a800000000000000000000"
  Cisco-AVPair = "ip:source-ip=2.3.4.5"
  Vendor-3076-Attr-146 = 0x43454e5452414c
  Vendor-3076-Attr-150 = 0x00000002
  Cisco-AVPair = "coa-push=true"

More information about the Freeradius-Users mailing list