Cisco Anyconnect 2FA

Stefan Schlesinger sts at
Tue Jan 10 07:15:56 CET 2017

On 07 Jan 2017, at 12:58, Stefan Schlesinger <sts at> wrote:
>> On 07 Jan 2017, at 12:08, Muenz, Michael <m.muenz at> wrote:
>> Am 05.01.2017 um 23:52 schrieb Stefan Schlesinger:
>> Do you really want to use the econdary password option?
> Not necessarily, I will try to find out whether the ASA supports the
> Access-Challenge pattern as well. Its just one of the ways Duo has
> implemented this on the ASA side.

I was successfully able to test Cisco Anyconnect with Access-Challenge
responses. The client will automatically bring up a new dialog where one is
able to enter the challenge. The challenge will be send in a second request in
the same radius session, again in the User-Password field.

I still have one more problem: my authentication backend (Keycloak) requires me
to verify username, password and the token at the same time.
I was thinking about writing a Perl authenticator for OpenID Connect with OTP
tokens, but therefore I’d need to find a way to cache the User-Password field from
the initial Access-Request, to verify it together with the provided OTP token from
the Access-Challenge response.

Any hints?

Best, Stefan

More information about the Freeradius-Users mailing list