If you plan to deploy only the one-time password based authentication in your user base using OTP tokens such as Deepnet SafeID, MobileID, then you will configure your Cisco ASA in such way that it will use your AD as the primary authentication server and your DualShield as the secondary authentication server. Your AD will be responsible for verifying users’ AD passwords and your DualShield will be responsible for verifying users’ one-time passwords only.
In the DualShield Administration Console, edit the Logon Procedure for your Cisco ASA application. You should only need One Logon Step, typically “One-Time Password” as the authentication method:
In the Connection Profiles section, select your existing SSL VPN profile and click Edit
(Click Add if you do not yet have a SSL VPN profile)
Navigate to the Cisco ASA SSL VPN logon page:
The logon form consists of 3 fields:
User name: User's domain account login name
Password: AD password
2nd Password: One-time password
You can customise Cisco ASA logon page to make it more user friendly. For instance, you may want to change “2nd Password” to “Passcode” or “One-Time Password”.
The basis of the customisation is to change relevant messages or HTML and Javascript files in the Cisco ASA appliance.
In ASDM, go to Remote Access VPN ->Clientless SSL VPN Access -> Portal -> Customization. Click on Add to add a new customization object.
Enter a name for the customization object
Expand Login Page and select Logon Form
Change "2nd password" to "Passcode" in the Secondary Password Prompt.
Click "OK". Click "Assign" and assign the newly created Customization Object to the SSL VPN connection profile
The SSL VPN logon page will now be presented as:
