Cisco Anyconnect 2FA

Muenz, Michael m.muenz at
Sat Jan 7 12:08:17 CET 2017

Am 05.01.2017 um 23:52 schrieb Stefan Schlesinger:
> Hi,
> we are trying to implement 2FA for Cisco ASA Anyconnect VPN clients.
> The ASA supports a “secondary password” input, so the dialog asks for a username, a password and another password. The ASA is going to fire off an Access-Request for each of the passwords. The first one with the users password and if successful, a subsequent request, which should contain the one time authentication token.
> We couldn’t figure out yet how to authenticate the subsequent request against a different authentication module, especially because they both look the same, besides the Request Id.
> Can anyone help out how to handle the latter different from the first request in an unlang config?
Do you really want to use the econdary password option?
I'd rather use a real 2FA system like privacyIDEA which uses FreeRadius.


More information about the Freeradius-Users mailing list