Cisco domain authorization via MultiOTP's FreeRadius.

I will try my best to describe our situation. We have configured our Cisco ASA to request domain name, domain password and OTP when users connect through Cisco AnyConnect VPN. It works well, but we need to connect only through LDAPS. To authorize username and password with domain, ASA goes to domain controller through LDAP, because ASA cannot connect through LDAPS. To authorize OTP, ASA goes to MultiOTP. MultiOTP is configured to access domain controller through LDAPS, and it uses FreeRadius to do that, as I understand. Is it possible to authorize domain requests from ASA through FreeRadius on MultiOTP? So it will be able to communicate via LDAPS with domain controller. Thank you!


  • Hello, What is possible to do is to configure a multiOTP "radius only" authentication on your Cisco router, and when the request arrives on the multiOTP server, multiOTP will wait the Domain password concatenates with the OTP. (username : AD_USER, password : AD_PASSWORD + OTP) If you want to do that, you have to say in multiOTP that users need prefix PIN, and that AD/LDAP password is used as prefix PIN. Regards, Andre
  • Will the password then go in one line?
  • Yes, in this case, the VPN password is in one line : "AD_PASSWORD + OTP" and must be sent in PAP between the Cisco ASA and the multiOTP FreeRADIUS service. On multiOTP side, the VPN password is separated again, the last X chars (depending on OTP length) for the OTP; and the begin of the VPN password is send using LDAPS to the AD to check the AD password. Regards
Sign In or Register to comment.