The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Although the AnyConnect client has always supported OTP-based authentication, prior to the fix for Cisco bug ID CSCsw95673, the Cisco IOS headend did not process RADIUS Access-Challenge messages. After the initial login prompt (where users enter their "permanent" usernames and passwords), RADIUS sends the "Access-Challenge" message to the Cisco IOS gateway, which asks users to enter their OTP:
At this point, the AnyConnect client is expected to show an additional pop-up window that requests users for their OTP, but since the Cisco IOS device did not process the Access-Challenge message, this never happens and the client sits idle until the connection times out.
However, as of Version15.2(4)M4, Cisco IOS devices should be able to process the challenge-based authentication mechanism.
One of the differences between the Adaptive Security Appliance (ASA) and Cisco IOS headends is that Cisco IOS Router/switches/Access Points (APs) only support RADIUS and TACACS. They do not support the RSA-proprietary protocol SDI. The RSA server however supports both SDI and RADIUS. Therefore, in order to use OTP authentication on a Cisco IOS headend, the Cisco IOS device must be configured for RADIUS protocol and the RSA server as a RADIUS token server.
Configure the authentication method and the Authentication, Authorization, and Accounting (AAA) server group:
aaa new-model ! ! aaa group server radius OTP-full server 10.7.7.129 ! aaa group server radius OTP-split server 10.7.7.129 auth-port 1812 ! aaa authentication login default local aaa authentication login webvpn-auth group OTP-split aaa authorization exec default local aaa authorization network webvpn-auth local