so here we go again... yet not fixed..

For secondary authentication, the password variable is password[2].

I tried with custom expressions, maybe i have synthax error? It says "unknown variable" for passoword[2].

I tried lines like

[email protected] = password[2]

and tried to use that in rolemapping rules, but it wont "eat" that custom expression.

i tried

[email protected] = <password[2]>

nothing works...

Can i map one variable to another to prove if the value of both variables is matching and create rolemapping rules based on that?

Hello spacefreak,

I have a similar configuration that works. The only difference is that I use [email protected] notation instead of (password[2]).

So I would try [email protected] = [email protected]

I tried your configuration and got the same problem.

-Tim

yet not fixed...

Yeah, that synthax in custom expressions works

[email protected] = [email protected]

but anyway - that does not work.

Though admin guide says you can use variable password{2] in role mapping rules, i can not use any variable in rolemapping rules.

If i use the above custom expression in role mapping rules, it does not work also.

Once again..

1. User goes to loginpage

2. On loginpage, there are two authentications: 1. via Radius (Active Directory) and 2. via Local (Local userdatabase).

3. When user logs in, he gives domain credentials for first auth ==> works fine, and the radius also returns in radius accept packet the radius-attribut value "callback-number" to IVE, with the value "1234" (thats the number in users properties field "dial-in"...."callback-number" in active directory).

4. User enters on second auth PIN number (that entered PIN-Number like 1234 should be the value of IVE variable password[2])

5. A custom expression in role mapping rules should verify if the value of password[2] and the value of radius attribute callback-number match

6. If the values of both match, user should be mapped to a role. If they dont match - user is mapped to no role and can not reach any resources

Thats the theory!

Sure, in local database there is not the pin nor the username. But i "think" that this should not matter.

Of cause the second authentication will allways "fail" as long as that user and password does not exist.

But why i can not use these attribute/variables in the way i need it?

I think the problem is the way how IVE deals with the values of attributes, but that is not documented, so i have to try out.

But i tried several combinations and possible solutions but till now no success.

I CAN use radius attributes without any probem on rolemapping rules (with "Userattribute").

But only when i enter on role mapping the "VALUE" in clear text.

Or when i tner the value in custom expression.

But as the "value" is differen tfor each user, i need a way to verify if the value of one attribute matches the value if an IVE variable.

I hope someone understands what i am talking about...