Username, Password & One Touch

Performing this scenario will produce a RADIUS username, password and PhenixID One Touch authentication.

The user authenticates with username and password, the provided data will be verified against the configured user store. If we get a positive answer back, the authentication will proceed to the next step and send an assignment to the users One Touch application. The user can then approve the assignment and complete login.

This article will use LDAP as the primary user store.

Name & Description

Start by giving the scenario a friendly name and description. Then click Next. 

User store selection

User search settings

Enter a search filter. This will be used to locate the authenticating user.  Configure the search base by browsing through clicking "Choose" or manually enter the search base root. None of the values may be blank.

Example to login using email as username:

mail={{request.User-Name}}

This following example will only allow users that are member of the OTP-GROUP and title starting with Manager.

(&(sAMAccountName={{request.User-Name}})(memberof=cn=OTP-GROUP,ou=groups,dc=phenixid,dc=local)(title=Manager*))

Configure RADIUS Server

Select existing or create new RADIUS server.

To create a new RADIUS server, follow the steps in the RADIUS connection guide.

Configure RADIUS client

The Radius Client will be the IP address allowed by the system to use this listener/connection.

So set the IP address of the application secured by PhenixID server two-factor authentication. As well as the secret corresponding to the application.

Attribute selector will be used if the application has the possibility to allow the users to choose different authentication methods, for instance SMS or OATH.

This value can be either exact match, 44=SMS, or a regular expression, 44=^.*Token.*$, any string containing the word Token.

In the example above the value 44 is the RADIUS attribute containing the selector, but the RADIUS attribute can be different depending on the application.

Finish

Click Create to complete the scenario.

After a couple of seconds the RADIUS server is ready to handle incoming authentication requests.

Edit configuration

Additional configuration or deletion is done by expanding the heading and clicking the desired name of what needs to be edited.

General

General information about the scenario including RADIUS server and client configuration.

Execution flow

The configured execution flow for this radius authentication. Add, edit or delete valves to your specific authentication needs.

Advanced

Contains One Touch and RADIUS return attributes configuration.

Specify what attributes that should be returned to the RADIUS client from the PhenixID server.

Note, the internal attributes must be fetched or created during execution flow. For example fetched by the LDAPSearchValve by adding them to the attributes property.

Incoming attributes is a list of incoming Access-Request attributes to be returned at Access-Accept.

  • Example: 56,44

Response attributes is a list of  internal attributes to be returned to the client at Access-Accept.

  • Example: 56=pager,25=mobile

Vendor specific attributes is a list of  internal attributes to be returned to the client at Access-Accept in Vendor Specific format.

  • Format: vendorid:type:parameter
  • Example: 5089:1:mobile