On Wed, Jul 22, 2015 at 12:01 PM, Fabian J?ger <fabian.jaeger at chungwasoft.com> wrote: > Has anyone successfully used two-factor authentication with openconnect? > > I am wondering if there is any special care required on the client side? How is the second credential provided There have been occasional posts on the list from users of gateways that were set up to require cert + password, like this: http://www.networkworld.com/article/2227087/cisco-subnet/how-to-guide--cisco-asa-sslvpn-using-certificates-for-2-factor-auth.html Also, the ASA can be set up to prompt for a secondary password. Don't know if "local AAA" supports this, but the ASA can be configured to use a wide variety of authentication backends. On the old RSA-based system I used to use, a single password field was used to transmit both a PIN + OTP to the gateway. Users just needed to know it wanted a tokencode rather than a password. This is how --token-mode=rsa works in the openconnect client. In all cases, the VPN frontend should be able to handle 2FA just by blindly rendering the form provided by libopenconnect.
