Cisco Anyconnect 2FA

Alan DeKok aland at
Tue Jan 10 16:17:20 CET 2017

On Jan 10, 2017, at 1:15 AM, Stefan Schlesinger <sts at> wrote:
> I was successfully able to test Cisco Anyconnect with Access-Challenge
> responses. The client will automatically bring up a new dialog where one is
> able to enter the challenge. The challenge will be send in a second request in
> the same radius session, again in the User-Password field.

  That's better.

> I still have one more problem: my authentication backend (Keycloak) requires me
> to verify username, password and the token at the same time.
> I was thinking about writing a Perl authenticator for OpenID Connect with OTP
> tokens, but therefore I’d need to find a way to cache the User-Password field from
> the initial Access-Request, to verify it together with the provided OTP token from
> the Access-Challenge response.

  In v3.0.12, cache the password in session-state.

	if (!&session-state:User-Password) {
		update session-state {
			User-Password := &request:User-Password
	else {
		# it's the second time around...

  Alan DeKok.

More information about the Freeradius-Users mailing list