Dear Cisco,

we are using Cisco ASA 8.2.3 as RAS solution for our customers. Different kind of authentication mechanisms are already deployed yet.

Now we want to use two factor authentication, where first, user needs to be verified by AD (by secure LDAP) and secondly, user needs to be verified by SMS passcode to SMS text messaging server.

We already created a separate DAP, separate Anyconnect Connection profile, separate Group Policy and separate customization page for this.

I know ASA supports this functionality but when configuring authentication server group and secondary authentication server group together you will have to fill in credentials for both on the Logon page. This is not what we want. We want users to fill in credentials for AD on Logon screen and after this user should receive SMS text message and get (pop-up) second login screen where he can enter the SMS passcode. Then logon process is completed and he should get RAS portal page.

When we test using only primary authentication AD by secure LDAP connection functions. When enabling secondary authentication you have to fill in credentials also on first logon page (instead of second logon page we would like to have). Also then, customer does not see any requests coming in on SMS text message server.

How do we need to configure the RAS environment so that it functions the way we want to?

Kind regards,

Lars Hanssen