Cisco Anyconnect 2FA

Alan DeKok aland at
Fri Jan 6 03:58:40 CET 2017

On Jan 5, 2017, at 5:52 PM, Stefan Schlesinger <sts at> wrote:
> we are trying to implement 2FA for Cisco ASA Anyconnect VPN clients.
> The ASA supports a “secondary password” input, so the dialog asks for a username, a password and another password. The ASA is going to fire off an Access-Request for each of the passwords. The first one with the users password and if successful, a subsequent request, which should contain the one time authentication token.

  How are the two requests corrected?  i.e. how do you know that they're both for the same connection attempt?

> We couldn’t figure out yet how to authenticate the subsequent request against a different authentication module, especially because they both look the same, besides the Request Id.

  That's a problem then.

> Can anyone help out how to handle the latter different from the first request in an unlang config?

  If you can't tell them apart, then there's no magic policies which can tell them apart.

  You'll need to write policies which track the connection attempts, likely keyed by MAC address.  You'll need to store the connection attempts in a database, (or rlm_cache), and check them there.

   In pseudo-code:

	expire database entries for this mac which are more than 1 minute old

	if (no database entry for mac) {
		must be first password...
		check first password
		if fail, reject

		otherwise store MAC / timestamp in database
		return access-accept

	delete database entry for this mac

	check second password
	if fail, reject

	else return access-accept.

  TBH, this is what Access-Challenge should be used for.  RADIUS has supported challenge-response since 1993 or so.  It's stupid to re-invent a *worse* system.  And not only worse, stupidly worse.  It would have been trivial for them to add an attribute let you differentiate the two packets.  But no... it has to be done the worst possible way....

  Alan DeKok.

More information about the Freeradius-Users mailing list