...
If you plan to deploy only the onOn-demand Demand password based authentication in your user base using Deepnet T-Pass, then you will configure your Cisco ASA in such way that it will use your DualShield Radius server Server as the primary authentication server.
Your DualShield server will be responsible for verifying both users’ AD password and one-time passwords. There should be no secondary authentication servers. In addition, you have to disselect de-select the "Microsoft CHAPv2 Capable" in Cisco ASA authentication setting.
Edit Logon Procedure
In the DualShield Management Administration Console, edit the logon procedure Logon Procedure for your Cisco ASA application. You will need to define two logon steps: the Two Logon Steps:
The first step requires users to enter their static password (AD password), which will also trigger the DualShield server to send the user’s onOn-demand Demand password. The second step Second Step will then ask users to enter their oneOne-time Time password.
Configure Cisco ASA
...
The user will then be prompted to enter a T-Pass one-time password: