10-31-2018 06:32 AM
Hello, I have a working 2 (3)-factor authentication with AnyConnect. Basic is set up with method 'AAA and certificate', and AAA Server Group is my AD-servers. Secondary configuration is set using my radius-server (Gemalto Safenet). Safenet is sending out SMS, no hw-token. When I log in I get username/password/secondary password. I fill inn my AD-username/password and leave the third field blank. In the next box I get 'Please respond to the challende: SMS challende sent to mobile device'. I write the OTP and everything is ok, I'm in.
I would like to hide the 'secondary password'-field, as it is not being used. First step is the AD-autorization, the next step is the radius-authentication with the SMS-code. I have to use for the 'secondary password'-field. Is it possible to hide it? Any other way to configure this to get it to work? I have read a lot of articles, but haven't found other ways of doing it.
I have enclosed the Connection Profile-configuration and the two dialog boxes from the VPN-client.
10-31-2018 09:09 AM
11-01-2018 02:36 AM - edited 11-01-2018 02:37 AM
Thank you for your reply. If I use the Radius-server as basic authentication it just checks the username, not the password. I enter the username, use a single character as password and in the next box it ask for the SMS challenge (OTP). I type the OTP and I'm being authenticated without my AD-password ever being checked. The radius is configured to authorize but not authenticate as you write in your reply. As far as I know there's no configuration option on the Radius-server itself (Gemalto Safenet) that I can use to make it check the user password.
If I use my AD as the basic authentication, as shown in my example, and disable secondary authentication I only get username/password. There's no SMS-challenge generated and the client doesn't ask for it neither. I am being successfully authenticated.
11-01-2018 02:59 AM
I found this article, https://community.cisco.com/t5/vpn-and-anyconnect/ssl-vpn-password-change-notification/td-p/1700261. Herben Baerten writes '...
In your case the 2 passwords will be the same, so you could apply a 'hack' so that the user only has to enter it once: create a customization, enable the Information Panel, and enter the following javascript code in the "Text" field:
In case you're not familiar with javascript, what this does is:
- hide the secondary password prompt
- when you click the Logon button, it copies the content of the (primary) password field to the (now hidden) secondary password field, then submits the form.".
This is exactly what we need to do. However, I didn't see any script. The post is from 2011 so I don't know if it still applies?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide