Ocserv 2FA Duo

[Nikos Mavrogiannopoulos]

On Fri, Sep 16, 2016 at 9:00 PM, Nux! <nux at li.nux.ro> wrote:
> Nikos,
>
> When we enable Duo in our Cisco, Anyconnect client will ask 1. the local radius pw as well as 2. the Duo token - as a second password.
> The user inputs 2 passwords.
> Do you see any reason why the above should not work with Ocserv?
> Right now I have not managed to get the above to work, before I go and pester Duo support, I want to make sure Ocserv is actually capable of it.

Yes, ocserv can prompt any arbitrary amount of passwords. There are
instructions to setup 2fa with otp (with pam or without it). Your
particular 2fa case with duo has not been tested by anyone as far as I
know. Furthermore, I have no idea how duo works, if it is with PAM, my
suggestion would be:
1. Make a setup that works for normal login prompt
2. Use this setup for ocserv

If something doesn't work in that case send the debugging output (-d 4 or so).

regards,
Nikos