Older versionVersion 2.2Scenarios - RADIUSUsername & Token generated OTP

Username & Token generated OTP

Performing this scenario will produce a RADIUS username, password and Token OTP authentication. Supported tokens are PhenixID Pocket Pass and other OATH compliant software/hardware tokens.

This article will use LDAP as the primary user store.

Name & Description

Start by giving the scenario a friendly name and description. Then click Next. 

User store selection

Select existing or create new primary user store.

To create a new connection, follow the steps in the LDAP connection guide.

User search settings

Enter a search filter. This will be used to locate the authenticating user.  Configure the search base by browsing through clicking "Choose" or manually enter the search base root. None of the values may be blank.

Example to login using email as username:

mail={{request.User-Name}}

This following example will only allow users that are member of the OTP-GROUP and title starting with Manager.

(&(sAMAccountName={{request.User-Name}})(memberof=cn=OTP-GROUP,ou=groups,dc=phenixid,dc=local)(title=Manager*))

Configure RADIUS Server

Select existing or create new RADIUS server.

To create a new RADIUS server, follow the steps in the RADIUS connection guide.

Configure RADIUS client

The Radius Client will be the IP address allowed by the system to use this listener/connection.

So set the IP address of the application secured by PhenixID server two-factor authentication. As well as the secret corresponding to the application.

Attribute selector will be used if the application has the possibility to allow the users to choose different authentication methods, for instance SMS or OATH.

This value can be either exact match, 44=SMS, or a regular expression, 44=^.*Token.*$, any string containing the word Token.

In the example above the value 44 is the RADIUS attribute containing the selector, but the RADIUS attribute can be different depending on the application.

Configure PIN code settings

If using PIN code, enable and configure PIN code placement and user store attribute containing the PIN code.

Finish

Click Create to complete the scenario.

After a couple of seconds the RADIUS server is ready to handle incoming authentication requests.

Edit configuration

Additional configuration or deletion is done by expanding the heading and clicking the desired name of what needs to be edited.

General

General

General information about the scenario including RADIUS server and client configuration.

Execution flow

Execution flow

The configured execution flow for this radius authentication. Add, edit or delete valves to your specific authentication needs.

Advanced

Advanced

Specify what attributes that should be returned to the RADIUS client from the PhenixID server.

Note, the internal attributes must be fetched or created during execution flow. For example fetched by the LDAPSearchValve by adding them to the attributes property.

Incoming attributes is a list of incoming Access-Request attributes to be returned at Access-Accept.

  • Example: 56,44

Response attributes is a list of  internal attributes to be returned to the client at Access-Accept.

  • Example: 56=pager,25=mobile

Vendor specific attributes is a list of  internal attributes to be returned to the client at Access-Accept in Vendor Specific format.

  • Format: vendorid:type:parameter
  • Example: 5089:1:mobile