If you plan to deploy only the on-demand password based authentication in your user base using Deepnet T-Pass, then you will configure your Cisco ASA in such way that it will use your DualShield Radius server as the primary authentication server. Your DualShield server will be responsible for verifying both users’ AD password and one-time passwords. There should be no secondary authentication servers. In addition, you have to disselect the "Microsoft CHAPv2 Capable" in Cisco ASA setting.
Edit Logon Procedure
In the DualShield Management Console, edit the logon procedure for your Cisco ASA application. You will need to define two logon steps: the first step requires users to enter their static password (AD password), which will also trigger the DualShield server to send the user’s on-demand password. The second step will then ask users to enter their one-time password.
Configure Cisco ASA
- In ASDM, go to Remote Access VPN ->Clientless SSL VPN Access -> Connection Profiles
- Edit your SSL VPN profile, change its primary authentication to DualShield
- Remove the secondary authentication by changing its server group to “none”
- Click "Apply" to save changes
Disable Microsoft CHAPv2 Capable
Test Logon
Navigate to the SSL VPN logon page:
Enter your username and your AD password.
DualShield Server will send and on-demand password via the delivery channel defined in your T-Pass policy, e.g. SMS text message or email message.
The user will then be prompted to enter a T-Pass one-time password:
