Thanks Nikos, will do. I'll get back with details if I get it to work. Lucian -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro ----- Original Message ----- > From: "Nikos Mavrogiannopoulos" <n.mavrogiannopoulos at gmail.com> > To: "Nux!" <nux at li.nux.ro> > Cc: "openconnect-devel" <openconnect-devel at lists.infradead.org> > Sent: Tuesday, 20 September, 2016 17:16:32 > Subject: Re: Ocserv 2FA Duo > On Fri, Sep 16, 2016 at 9:00 PM, Nux! <nux at li.nux.ro> wrote: >> Nikos, >> >> When we enable Duo in our Cisco, Anyconnect client will ask 1. the local radius >> pw as well as 2. the Duo token - as a second password. >> The user inputs 2 passwords. >> Do you see any reason why the above should not work with Ocserv? >> Right now I have not managed to get the above to work, before I go and pester >> Duo support, I want to make sure Ocserv is actually capable of it. > > Yes, ocserv can prompt any arbitrary amount of passwords. There are > instructions to setup 2fa with otp (with pam or without it). Your > particular 2fa case with duo has not been tested by anyone as far as I > know. Furthermore, I have no idea how duo works, if it is with PAM, my > suggestion would be: > 1. Make a setup that works for normal login prompt > 2. Use this setup for ocserv > > If something doesn't work in that case send the debugging output (-d 4 or so). > > regards, > Nikos
