allow new advanced auth radius use case

Idea ID 2828285

allow new advanced auth radius use case

  • Cisco ASA is setup with a Primary AND Secondary Authentication profile.
    • The primary authentication profile is configured for LDAP and validates directly off of an Active Directory domain controller. In theory, this could instead be an AA RADIUS connection pointing at Event that only included a single Chain, with a single Method of LDAP Password.
    • The secondary authentication profile would point at AA RADIUS.
  • Cisco ASA has a single “Group” defined, with a label of “MFA” or similar.
    • Since both a Primary and Secondary Authentication profile are defined for this “Group,” the initial VPN Client screen asks for 3 pieces of information “Username,” “Password” and “Secondary Password” (often renamed to “Authentication Method”).
    • In the first “Password” field, the user types their LDAP Password
    • In the “Authentication Method” aka “Secondary Password” field, the user types predefined keywords such as “push,” “call,” “email,” or “sms”
    • When the VPN client submits this to the NAS (VPN Server), the NAS:
      • Validates the Username + LDAP Password with the AD Domain Controller
      • Includes the “User-Name” attribute to the AA RADIUS along with a “Password” that is not the actual LDAP Password but instead the desired method phrase (“push,” “call,” “email,” or “sms”) .
  • AA RADIUS server setup:
    • With a RADIUS “Event” that includes multiple single-Method Chains defined.
    • Each Chain includes one of the following as the FIRST and ONLY Method: Email OTP, Smartphone Push, SMS OTP, or Voice OTP.
    • The RADIUS “Event,” using RADIUS “Chain selection rules,” selects the appropriate Chain based on the desired method phrase (“push,” “call,” “email,” or “sms”) within the RADIUS request’s “Password” field (aka the “Secondary Password” captured earlier)
    • AA would then:
      • Send the Push notification or OTP via indicated delivery method
      • Prompt the RADIUS client to acknowledge the Push response in the NetIQ Auth app, or to input the OTP code received.
  • RESULT: Only a single “GROUP” needs to be defined, that dynamically works with any additional Chains later associated.
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.