Cisco Anyconnect 2FA
Alan DeKok
aland at deployingradius.com
Tue Jan 10 16:17:20 CET 2017
On Jan 10, 2017, at 1:15 AM, Stefan Schlesinger <sts at ono.at> wrote:
> I was successfully able to test Cisco Anyconnect with Access-Challenge
> responses. The client will automatically bring up a new dialog where one is
> able to enter the challenge. The challenge will be send in a second request in
> the same radius session, again in the User-Password field.
That's better.
> I still have one more problem: my authentication backend (Keycloak) requires me
> to verify username, password and the token at the same time.
> I was thinking about writing a Perl authenticator for OpenID Connect with OTP
> tokens, but therefore I’d need to find a way to cache the User-Password field from
> the initial Access-Request, to verify it together with the provided OTP token from
> the Access-Challenge response.
In v3.0.12, cache the password in session-state.
if (!&session-state:User-Password) {
update session-state {
User-Password := &request:User-Password
}
}
else {
# it's the second time around...
}
Alan DeKok.
More information about the Freeradius-Users
mailing list