Two-factor authentication with openconnect
Kevin Cernekee
cernekee at gmail.com
Wed Jul 22 14:06:31 PDT 2015
On Wed, Jul 22, 2015 at 12:01 PM, Fabian Jäger
<fabian.jaeger at chungwasoft.com> wrote:
> Has anyone successfully used two-factor authentication with openconnect?
>
> I am wondering if there is any special care required on the client side? How is the second credential provided
There have been occasional posts on the list from users of gateways
that were set up to require cert + password, like this:
http://www.networkworld.com/article/2227087/cisco-subnet/how-to-guide--cisco-asa-sslvpn-using-certificates-for-2-factor-auth.html
Also, the ASA can be set up to prompt for a secondary password. Don't
know if "local AAA" supports this, but the ASA can be configured to
use a wide variety of authentication backends.
On the old RSA-based system I used to use, a single password field was
used to transmit both a PIN + OTP to the gateway. Users just needed
to know it wanted a tokencode rather than a password. This is how
--token-mode=rsa works in the openconnect client.
In all cases, the VPN frontend should be able to handle 2FA just by
blindly rendering the form provided by libopenconnect.
More information about the openconnect-devel
mailing list