Cisco ASA and PrivacyIDEA

I haven’t delved into the Questionnaire type yet. My concern would be how the “N correct answers out of M questions” fits into the RADIUS model, which is challenge-response rather than challenge-challenge-challenge-challenge-response.:slight_smile: But for U2F and Email(PIE) types, it works right out of the box with otppin=tokenpin.

I don’t think token types can be selectively queried/screened based on policy. In my experience, the C-R PIN determines the context: if I use my U2F PIN, the YubiKey is prompted, but if I use my Email PIN, the email is generated.

You can have a toketype policy,
that will only allow certain tokentypes.

To clarify “client IP”, is this the IP of the application or the IP of the user? For example, if a user at is authenticating to an application at, Is the client IP or

I would imagine it would be the 10 address because you can’t always expect the application to forward the source IP of the remote user.