Compatibility with 2 factor authentication?
Kevin Cernekee
cernekee at gmail.com
Thu May 23 20:27:52 EDT 2013
On Thu, May 23, 2013 at 2:43 PM, Matthew Kitchin (Public/Usenet)
<mkitchin.public at gmail.com> wrote:
> We are migrating to a Duo Security product for secondary authentication on
> our ASA. This prompts another box to show up in the Windows GUI client
> labeled 'Second Password'. Does openconnect have the ability to interact
> with this second password dialog? I found this:
> http://lists.infradead.org/pipermail/openconnect-devel/2010-September/000226.html
> and it appears to be the same thing, but I'm unclear on what the resolution
> was. I"m using command line only on an openwrt router.
When I configured my dummy gateway to serve up the auth form in your
link, the openconnect CLI prompted for both passwords and seemed to do
the right thing:
<?xml version="1.0" encoding="UTF-8"?>
<config-auth client="vpn" type="auth-reply">
<version who="vpn">v5.00-3-gf81acba-dirty</version>
<device-id>linux-64</device-id>
<auth>
<username>user</username>
<password>1stpass</password>
<secondary_password>2ndpass</secondary_password>
<tgroup>SII-PRIV</tgroup>
</auth>
</config-auth>
The official AnyConnect clients do implement a couple of special cases
on password fields with certain names[1]; we might also need to add a
check for the "second-auth" attribute. This could account for why the
Windows client changes the label from "Password:" to "Second
Password:".
[1] http://git.infradead.org/users/dwmw2/openconnect.git/commit/e8a0cecc6ddcfffd4663d359f17ebba195cb4d69
More information about the openconnect-devel
mailing list