On Thu, May 23, 2013 at 2:43 PM, Matthew Kitchin (Public/Usenet) <mkitchin.public at gmail.com> wrote: > We are migrating to a Duo Security product for secondary authentication on > our ASA. This prompts another box to show up in the Windows GUI client > labeled 'Second Password'. Does openconnect have the ability to interact > with this second password dialog? I found this: > http://lists.infradead.org/pipermail/openconnect-devel/2010-September/000226.html > and it appears to be the same thing, but I'm unclear on what the resolution > was. I"m using command line only on an openwrt router. When I configured my dummy gateway to serve up the auth form in your link, the openconnect CLI prompted for both passwords and seemed to do the right thing: <?xml version="1.0" encoding="UTF-8"?> <config-auth client="vpn" type="auth-reply"> <version who="vpn">v5.00-3-gf81acba-dirty</version> <device-id>linux-64</device-id> <auth> <username>user</username> <password>1stpass</password> <secondary_password>2ndpass</secondary_password> <tgroup>SII-PRIV</tgroup> </auth> </config-auth> The official AnyConnect clients do implement a couple of special cases on password fields with certain names[1]; we might also need to add a check for the "second-auth" attribute. This could account for why the Windows client changes the label from "Password:" to "Second Password:". [1] http://git.infradead.org/users/dwmw2/openconnect.git/commit/e8a0cecc6ddcfffd4663d359f17ebba195cb4d69
