Hi Karsten

Thanks for the reply.

I already have OTP system deployed in my network. And i already have remote access VPN configured on the ASA which is currently integrated with RSA (two factor authentication), now i have a requirement to integrate few selected users (i think these users can be created locally on the OTP system) which are using Remote access VPN to integrate with currently deployed OTP system. I want to know what configuration needs to be done on the ASA.

Dear Karsten

Appreciate if you spare sometime to reply the previous mail.

Anyone else have any experience on this . Please share.

Appreciate if someone from cisco can also respond.

I've never integrated OTP to the old IPSec client (and I also don't like RSA ... ;-) ). So I can't help any further with that.

Dear Karsten

Ok. To which IPSEC you integrated OTP.

Only with AnyConnect. There I used Duosecurity and some time ago also Youbikeys. Both worked fine.

Are Duosecurity and Youbikeys the OTP system ?

Can you share me the config you done on the ASA to integrate anyconnect with Duosecurity and Youbikeys

Duosecurity.com is an OTP-provider, they operate the OTP-servers. Here are guides how to integrate it with SSL-VPN and the legacy IPsec-Client:

https://www.duosecurity.com/docs/cisco

https://www.duosecurity.com/docs/cisco-ipsec

Youbico had an OTP-server that is not maintained any more. Now they are producing the keys ("token") and use other OTP servers:

https://www.yubico.com/products/services-software/yubiradius/technical-description/

Dear Karsten

Thanks for your response.

Anyone else have any experience on this . Please share.

Appreciate if someone from cisco can also respond.

Dear Karsten

After the integration of Remote Access VPN client/SSL VPN/Anyconnect with OTP, Is it possible that VPN client will first only prompt username and password fild will be grayed out or remain blank or not not shown and when i click ok after putting username then it will prompt for OTP password.

My OTP server supports http protocol. Is it possible to integrate remote access VPN client with OTP server using http protocol

Dear Karsten

Appreciate if you could spare some time to respond on the requested query

I don't think that this will be possible. To make it easy for the user I prefer the way that the user only sees his username and the two password-fields. For the OTP, at least LDAP and RADIUS or the native RSA-protocol can be used. Have not seen HTTP on the list of supported protocols. Perhaps there are some integration-documents from your OTP-vendor how to connect from the ASA?

Dear Karsten

Thanks for the reply.

U mentioned two password filed. why two password fields are required. Can i only integrate with OTP without LDP, Radius etc

Please see below the AAA server types supported. I have mentioned all types below.

In that list Following HTTP forms is also supported. Any idea what this HTTP form is , if my OTP support HTTP protocol then can i use HTTP forms protocol to integrate with my OTP

SSO Support for Clientless SSL VPN with HTTP Forms

http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/aaa.html#wp1084774

AAAA Server and Local Database Support

The security appliance supports a variety of AAA server types and a local database that is stored on the security appliance. This section describes support for each AAA server type and the local database.

This section contains the following topics:

•Summary of Support

•RADIUS Server Support

•TACACS+ Server Support

•RSA/SDI Server Support

•NT Server Support

•Kerberos Server Support

•LDAP Server Support

•SSO Support for Clientless SSL VPN with HTTP Forms

•Local Database Support

That's only for clientless, not for client-based VPNs.