Older version

Username, Password & OTP delivered by SMS

Authentication over RADIUS with username, password and OTP sent by SMS. Usually used with various VPN solutions.

The user authenticates with username and password, the provided data will be verified against the configured user store. If we get a positive answer back a message containing the OTP will be sent to the user by SMS. User will then enter the OTP.

Start configuring by clicking "Scenarios"-> "Create scenario" ->"Username, Password & OTP delivered by SMS" -> "Start".

Name and Description

Start by entering name an description for the Scenario.

Configuring a datasource

First time configuration a new data source needs to be created. This will be used as source of authentication and user lookup.

If a datasource is already configured administrator can select it from the dropdown an proceed to next step.

If there is no datasource already configured, please choose "Create new" and on the next page choose what kind of connection this should be, LDAP or JDBC/SQL.

Then continue by entering name an description for the new data source.

Configure host ip or DNS name and LDAP port. For multiple hosts use comma as delimiter.

Enter user credentials to be used to access LDAP server/servers. Make sure the configured account has appropriate access rights in the data source. The account used should NOT be required to change passwords on a regular basis.

Configure security settings for accessing the data source. Often to enable SSL this require additional configuration on the data source.

Verify the connection settings.

Configure the LDAP search filter.

The function of the search filter is to find the correct user. In it's simplest form it may be enough to search on the user name.

Note that the search filter can be simple or advanced. The {{request.User-Name}} is the variable replaced by the value entered by the user.

Example to login using email as username:

mail={{request.User-Name}}

This following example will only allow users that are member of the OTP-GROUP and title starting with Manager.

(&(sAMAccountName={{request.User-Name}})(memberof=cn=OTP-GROUP,ou=groups,dc=phenixid,dc=local)(title=Manager*))

Search base defines the root from where users will be found.

Configuring RADIUS Server

First time configuration a new RADIUS Server needs to be created. This will be used by the RADIUS clients on the port/ports configured.

If a RADIUS Server is already configured administrator can select it from the dropdown an proceed to the next step.

Set the address that you want for the listener, or choose the default value to listen to all addresses.

Set the port that the RADIUS server will use for incoming requests.

Configuring RADIUS client

The Radius Client will be the IP address allowed by the system to use this listener/connection.

So set the IP address of the application secured by PhenixID server two-factor authentication. As well as the secret corresponding to the application.

Attribute selector will be used if the application has the possibility to allow the users to choose different authentication methods, for instance SMS or OATH.

This value can be either exact match, 44=SMS, or a regular expression, 44=^.*Token.*$, any string containing the word Token.

In the example above the value 44 is the RADIUS attribute containing the selector, but the RADIUS attribute can be different depending on the application.

Enable "Optional RADIUS return attributes" to specify what attributes that should be returned to the RADIUS client after successful authentication.

Incoming attributes is a list of radius attributes by number, separated by comma. For example 32,33.

Response attributes is a list of radius attributes containing the value that should be returned, also separated by comma. For example 25=carLicense,56=pager.

These two options are only used if the RADIUS client expects certain values to be returned. This step should normally be disabled.