Username, Password & One Touch
Performing this scenario will produce a RADIUS username, password and PhenixID One Touch authentication.
The user authenticates with username and password, the provided data will be verified against the configured user store. If we get a positive answer back, the authentication will proceed to the next step and send an assignment to the users One Touch application. The user can then approve the assignment and complete login.
This article will use LDAP as the primary user store.
Name & Description
Start by giving the scenario a friendly name and description. Then click Next.
User store selection
Select existing or create new primary user store.
To create a new connection, follow the steps in the LDAP connection guide.
User search settings
Enter a search filter. This will be used to locate the authenticating user. Configure the search base by browsing through clicking "Choose" or manually enter the search base root. None of the values may be blank.
Example to login using email as username:
mail={{request.User-Name}}
This following example will only allow users that are member of the OTP-GROUP and title starting with Manager.
(&(sAMAccountName={{request.User-Name}})(memberof=cn=OTP-GROUP,ou=groups,dc=phenixid,dc=local)(title=Manager*))
Configure RADIUS Server
Select existing or create new RADIUS server.
To create a new RADIUS server, follow the steps in the RADIUS connection guide.
Configure RADIUS client
The Radius Client will be the IP address allowed by the system to use this listener/connection.
So set the IP address of the application secured by PhenixID server two-factor authentication. As well as the secret corresponding to the application.
Attribute selector will be used if the application has the possibility to allow the users to choose different authentication methods, for instance SMS or OATH.
This value can be either exact match, 44=SMS, or a regular expression, 44=^.*Token.*$, any string containing the word Token.
In the example above the value 44 is the RADIUS attribute containing the selector, but the RADIUS attribute can be different depending on the application.
Finish
Click Create to complete the scenario.
After a couple of seconds the RADIUS server is ready to handle incoming authentication requests.
Edit configuration
Additional configuration or deletion is done by expanding the heading and clicking the desired name of what needs to be edited.
Execution flow
The configured execution flow for this radius authentication. Add, edit or delete valves to your specific authentication needs.
Advanced
Contains One Touch and RADIUS return attributes configuration.
Specify what attributes that should be returned to the RADIUS client from the PhenixID server.
Note, the internal attributes must be fetched or created during execution flow. For example fetched by the LDAPSearchValve by adding them to the attributes property.
Incoming attributes is a list of incoming Access-Request attributes to be returned at Access-Accept.
- Example: 56,44
Response attributes is a list of internal attributes to be returned to the client at Access-Accept.
- Example: 56=pager,25=mobile
Vendor specific attributes is a list of internal attributes to be returned to the client at Access-Accept in Vendor Specific format.
- Format: vendorid:type:parameter
- Example: 5089:1:mobile