Cisco Anyconnect 2FA
Alan DeKok
aland at deployingradius.com
Fri Jan 6 03:58:40 CET 2017
On Jan 5, 2017, at 5:52 PM, Stefan Schlesinger <sts at ono.at> wrote:
> we are trying to implement 2FA for Cisco ASA Anyconnect VPN clients.
>
> The ASA supports a “secondary password” input, so the dialog asks for a username, a password and another password. The ASA is going to fire off an Access-Request for each of the passwords. The first one with the users password and if successful, a subsequent request, which should contain the one time authentication token.
How are the two requests corrected? i.e. how do you know that they're both for the same connection attempt?
> We couldn’t figure out yet how to authenticate the subsequent request against a different authentication module, especially because they both look the same, besides the Request Id.
That's a problem then.
> Can anyone help out how to handle the latter different from the first request in an unlang config?
If you can't tell them apart, then there's no magic policies which can tell them apart.
You'll need to write policies which track the connection attempts, likely keyed by MAC address. You'll need to store the connection attempts in a database, (or rlm_cache), and check them there.
In pseudo-code:
expire database entries for this mac which are more than 1 minute old
if (no database entry for mac) {
must be first password...
check first password
if fail, reject
otherwise store MAC / timestamp in database
return access-accept
}
delete database entry for this mac
check second password
if fail, reject
else return access-accept.
TBH, this is what Access-Challenge should be used for. RADIUS has supported challenge-response since 1993 or so. It's stupid to re-invent a *worse* system. And not only worse, stupidly worse. It would have been trivial for them to add an attribute let you differentiate the two packets. But no... it has to be done the worst possible way....
Alan DeKok.
More information about the Freeradius-Users
mailing list