cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6173
Views
5
Helpful
3
Replies

AnyConnect secondary authentication

bvj197222
Level 1
Level 1

Hello, I have a working 2 (3)-factor authentication with AnyConnect. Basic is set up with method 'AAA and certificate', and AAA Server Group is my AD-servers. Secondary configuration is set using my radius-server (Gemalto Safenet). Safenet is sending out SMS, no hw-token. When I log in I get username/password/secondary password. I fill inn my AD-username/password and leave the third field blank. In the next box I get 'Please respond to the challende: SMS challende sent to mobile device'. I write the OTP and everything is ok, I'm in.

I would like to hide the 'secondary password'-field, as it is not being used. First step is the AD-autorization, the next step is the radius-authentication with the SMS-code. I have to use for the 'secondary password'-field. Is it possible to hide it? Any other way to configure this to get it to work? I have read a lot of articles, but haven't found other ways of doing it.

I have enclosed the Connection Profile-configuration and the two dialog boxes from the VPN-client.

3 Replies 3

Shakti Kumar
Cisco Employee
Cisco Employee
Hi @bvj197222 ,

This needs to be further investigated.

1.) Does your secondary server authenticates the user or sends out SMS based on the username?

2.) If 1 is wrong then I believe that even if you remove the 2ndry authentication you will still get the SMS code because that part is taken care by the AD server. I say that because when you enter a blank password the 2ndry server is fed with just the username and not the password, unless the 2ndry server is configured to authorize but not authenticate the user this will not work ( because you are sending a blank password).


let me know how your setup is and we can troubleshoot this problem further.

Thanks
Shakti

Thank you for your reply. If I use the Radius-server as basic authentication it just checks the username, not the password. I enter the username, use a single character as password and in the next box it ask for the SMS challenge (OTP). I type the OTP and I'm being authenticated without my AD-password ever being checked. The radius is configured to authorize but not authenticate as you write in your reply. As far as I know there's no configuration option on the Radius-server itself (Gemalto Safenet) that I can use to make it check the user password. 

 

If I use my AD as the basic authentication, as shown in my example, and disable secondary authentication I only get username/password. There's no SMS-challenge generated and the client doesn't ask for it neither. I am being successfully authenticated.

 

 

 

I found this article, https://community.cisco.com/t5/vpn-and-anyconnect/ssl-vpn-password-change-notification/td-p/1700261. Herben Baerten writes '...

In your case the 2 passwords will be the same, so you could apply a 'hack' so that the user only has to enter it once: create a customization, enable the Information Panel, and enter the following javascript code in the "Text" field:  

In case you're not familiar with javascript, what this does is:

- hide the secondary password prompt

-  when you click the Logon button, it copies the content of the (primary)  password field to the (now hidden) secondary password field, then  submits the form.".

This is exactly what we need to do. However, I didn't see any script. The post is from 2011 so I don't know if it still applies?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: