Idea ID: 2828285

allow new advanced auth radius use case

Status : New Idea
11 months ago
  • Cisco ASA is setup with a Primary AND Secondary Authentication profile.
    • The primary authentication profile is configured for LDAP and validates directly off of an Active Directory domain controller. In theory, this could instead be an AA RADIUS connection pointing at Event that only included a single Chain, with a single Method of LDAP Password.
    • The secondary authentication profile would point at AA RADIUS.
  • Cisco ASA has a single “Group” defined, with a label of “MFA” or similar.
    • Since both a Primary and Secondary Authentication profile are defined for this “Group,” the initial VPN Client screen asks for 3 pieces of information “Username,” “Password” and “Secondary Password” (often renamed to “Authentication Method”).
    • In the first “Password” field, the user types their LDAP Password
    • In the “Authentication Method” aka “Secondary Password” field, the user types predefined keywords such as “push,” “call,” “email,” or “sms”
    • When the VPN client submits this to the NAS (VPN Server), the NAS:
      • Validates the Username + LDAP Password with the AD Domain Controller
      • Includes the “User-Name” attribute to the AA RADIUS along with a “Password” that is not the actual LDAP Password but instead the desired method phrase (“push,” “call,” “email,” or “sms”) .
  • AA RADIUS server setup:
    • With a RADIUS “Event” that includes multiple single-Method Chains defined.
    • Each Chain includes one of the following as the FIRST and ONLY Method: Email OTP, Smartphone Push, SMS OTP, or Voice OTP.
    • The RADIUS “Event,” using RADIUS “Chain selection rules,” selects the appropriate Chain based on the desired method phrase (“push,” “call,” “email,” or “sms”) within the RADIUS request’s “Password” field (aka the “Secondary Password” captured earlier)
    • AA would then:
      • Send the Push notification or OTP via indicated delivery method
      • Prompt the RADIUS client to acknowledge the Push response in the NetIQ Auth app, or to input the OTP code received.
  • RESULT: Only a single “GROUP” needs to be defined, that dynamically works with any additional Chains later associated.