Username, Password & OTP delivered by SMS
Performing this scenario will produce a RADIUS username, password and OTP sent by SMS authentication using either Active Directory, LDAP or SQL database as the primary user store.
This article will use LDAP as the primary user store.
User store selection
Select existing or create new primary user store.
To create a new connection, follow the steps in the LDAP connection guide.
User search settings
Enter a search filter. This will be used to locate the authenticating user. Configure the search base by browsing through clicking "Choose" or manually enter the search base root. None of the values may be blank.
Example to login using email as username:
mail={{request.User-Name}}
This following example will only allow users that are member of the OTP-GROUP and title starting with Manager.
(&(sAMAccountName={{request.User-Name}})(memberof=cn=OTP-GROUP,ou=groups,dc=phenixid,dc=local)(title=Manager*))
Configure RADIUS Server
Select existing or create new RADIUS server.
To create a new RADIUS server, follow the steps in the RADIUS connection guide.
Configure RADIUS client
The Radius Client will be the IP address allowed by the system to use this listener/connection.
So set the IP address of the application secured by PhenixID server two-factor authentication. As well as the secret corresponding to the application.
Attribute selector will be used if the application has the possibility to allow the users to choose different authentication methods, for instance SMS or OATH.
This value can be either exact match, 44=SMS, or a regular expression, 44=^.*Token.*$, any string containing the word Token.
In the example above the value 44 is the RADIUS attribute containing the selector, but the RADIUS attribute can be different depending on the application.
Configure PhenixID Message Gateway
Select existing or create new Message Gateway configuration.
To create a new Message Gateway configuration, follow the steps in the Message Gateway settings guide.
Configure one-time password settings
Specify the length of the OTP and the attribute containing the number where the SMS should be sent.
Configure PIN code settings
If using PIN code, enable and configure PIN code placement and user store attribute containing the PIN code.
Finish
Click Create to complete the scenario.
After a couple of seconds the RADIUS server is ready to handle incoming authentication requests.
Edit configuration
Additional configuration or deletion is done by expanding the heading and clicking the desired name of what needs to be edited.
Execution flow
The configured execution flow for this radius authentication. Add, edit or delete valves to your specific authentication needs.
Advanced
Specify what attributes that should be returned to the RADIUS client from the PhenixID server.
Note, the internal attributes must be fetched or created during execution flow. For example fetched by the LDAPSearchValve by adding them to the attributes property.
Incoming attributes is a list of incoming Access-Request attributes to be returned at Access-Accept.
- Example: 56,44
Response attributes is a list of internal attributes to be returned to the client at Access-Accept.
- Example: 56=pager,25=mobile
Access-challenge attributes is a list of internal attributes to be returned to the client at Access-Challenge.
- Example: 44=mail,25=mobile
Vendor specific attributes is a list of internal attributes to be returned to the client at Access-Accept in Vendor Specific format.
- Format: vendorid:type:parameter
- Example: 5089:1:mobile