cancel
Showing results for 
Search instead for 
Did you mean: 

experts wanted...attribute in user properties from active directory as secondary password via radius

spacyfreak_
Contributor

experts wanted...attribute in user properties from active directory as secondary password via radius

In Active Directory Useproperties we have several fields, for example "Office".

Can i use this field to put there a PIN like 1234 for that user, and use this value as "secondary password" for that user via secondary authentication on a realm/loginpage?

So, the idea is:

User goes to loginpage.

User types in Domainusername and his Domainpassword.

Then in a third login-field the user "clicks" his PIN with the mouse on a virtual keyboard on the screen.

And that third field has to be that PIN, which is the value of the Active Directory attribute physicalDeliveryOfficeName.

I have to do this only via radius as the users are from different active directories and can only be authenticated via radius proxy.

It works fine with local users, but i would prefer to use any field in user properties from active directory.

4 REPLIES 4
spacyfreak_
Contributor

Re: experts wanted...attribute in user properties from active directory as secondary password via ra

So the question is -

is there a solution guide or some hints how to use active directory user properties field in combination with IAS Radius and "check" with secondary login if the secondary "password[2]" (which is a 4-digit PIN Number) which the user "clicks" via virtual keyboard is the same value as the value of that attribute in active directory..

i dont know if someone knows what i am talking about... ;-)

muttbarker_
Valued Contributor

Re: experts wanted...attribute in user properties from active directory as secondary password via ra

Not in front of my SSL VPN box so I can't look at anything but you raise some interesting questions. The first issue is linking a radius attribute to a specific MS attribute. This is not an SSL question but a Microsoft question. I know that you can use "vendor specfic" radius attributes in IAS but I have never tried to link to a MS AD attribute life you refer to. I think you have to solve that problem external to the SSL box first.

Question - can you use LDAP instead? It is really easy to use LDAP and link to an AD attribute and use that as part of the auth process. I am not sure about using it as a "password" but you can use it as a user-ID type attribute. You are just looking for a secondary attribute validation right?

Message Edited by muttbarker on 02-28-2009 11:57 AM
spacyfreak_
Contributor

Re: experts wanted...attribute in user properties from active directory as secondary password via ra

Yes - you have got it¡!

Yes, its validation of a second "password".

I would like to do it with ldap, but as i have to implement users from many different active directories without trust relationship i can only use radius proxy...

I can imagine this "could" work with ldap, maybe i can use the attribute in role mapping rules, with custom expression or user attribut.

But - HOW? I would like to know how i can use ldap to accomplish the task.

spacyfreak_
Contributor

Re: experts wanted...attribute in user properties from active directory as secondary password via ra

not fixed yet - JTAC maybe will find a way in their testlab.

The syntax of custom expressions could be better documented with more examples - though the admin manuals are great and the appendix gives much informations about custom expressions.

[email protected] = [email protected]

custom expressions dont accept syntax like password[2]

Thats irritating that depending on the admin console you have sometimes to use this synthax, on other pages another one.

anyway, i found another solution if this one does not work i will turn another way with external radius servers with debian and freeradius.