What is second username/password in AnyConnect?

Jun_Gao · ‎01-21-2016

Hi Folks,

We were using Cisco Systems VPN Client in the past. Once we inputted the username and passcode, we were able to log in.
Now we changed to Cisco AnyConnect Secure Mobility Client, which requires second username/password. What is this? I tried the same username/passcode twice, but it's not working.

Thanks,
Jun Gao

Karsten Iwen · ‎01-21-2016

Look at your tunnel-group/connection-profile. You probably have secondary authentication enabled.

Jun_Gao · ‎01-21-2016

Hi Karsten,

Thanks for yoru quick reply. I know tunnel-group/connection-profile is in place in Cisco Systems VPN Client. But could you please share me where I can find the same in AnyConnect? Thanks very much.

Regards,
Jun Gao

Karsten Iwen · ‎01-21-2016

That's a config you did on the ASA, not on the client.

Jun_Gao · ‎01-21-2016

Hi Karsten,

Thanks for your quick reply again. So that means I have to check with the ASA administrator for the second credential? But we never faced this scenario when we were using Cisco Systems VPN Client in the past. Why there are two credentials that have to be provided in AnyConnect? We've never faced any issues to provide only one credential in Cisco Systems VPN Client as of now.

Regards,
Jun Gao

Karsten Iwen · ‎01-22-2016

Different VPN-clients can be controlled by different config on the ASA. For the old client there is no config for double-authentication while it is configured for the new client.

Your ASA administrator can fix that (or tell you how to authenticate if the double authentication was done on purpose).

Jun_Gao · ‎01-22-2016

Hi Karsten, Thanks very much for your quick reply once again! I will try to check with the ASA administrator for the same and revert back to you. Regards, Jun Gao

Jun_Gao · ‎01-22-2016

Hi Karsten, I just checked with the support team. I was told the Cisco AnyConnect is not enabled for our team. We are only allowed to use Cisco Systems VPN Client. Regards, Jun Gao

bvj197222 · ‎11-01-2018

Old case, but the answer is this; The ASA-administrator has enabled secondary authentication in the AnyConnect Connection Profile. He didn't remove the hatch before the 'Use primary username (Hide secondary username on login page)'. If he had done that you would only see the secondary password-field.

l-mathews · ‎12-21-2019

how do you disable the secondary password fields for different vpn users or connection profiles

Marvin Rhoads · ‎12-22-2019

@l-mathews please refer to this example:

https://community.cisco.com/t5/security-documents/configure-two-factor-authentication-on-asa-for-cisco-anyconnect/ta-p/3403768

It shows how to setup secondary authentication.

In your case, simply go into the relevant section of the configuration as described in the article and disable the option(s).

(edited to add link)

l-mathews · ‎12-23-2019

which example, can you post it here? only one tunnel-group has secondary authentication enabled yet all tunnel-group profiles see the secondary password

field when they connect. We are using secure mobility 4.6

Marvin Rhoads · ‎12-23-2019

Sorry - I neglected to add the link in my earlier post. I've edited it to include the relevant link.