Presumably, AnyConnect has been working all along with an LDAP AAA server and attribute map? This is what validates the initial username & password. (Note that these same exact LDAP parameters should be used to define the PI Realm.)
On top of that, a RADIUS-based AAA server should be defined, pointing to the FreeRADIUS plugin and using otppin=tokenpin
. The AnyConnect login policy is then extended with a secondary authenticator, which expects the original username and the OTP value:
secondary-authentication-server-group PrivacyIDEA use-primary-username
If the user is assigned an OTP token with a PIN, then for the secondary AnyConnect prompt the user would enter <pin><token>. If the OTP was configured without a PIN, then the user would just use <otp> in the 2nd password field.
It was helpful for us to use passthru=userstore
for initial onboarding, allowing the user without an assigned token to login with their password (entered twice). Once everyone had their tokens, passthru was disabled.