experts wanted...attribute in user properties from...

spacyfreak_ · ‎02-28-2009

In Active Directory Useproperties we have several fields, for example "Office".

Can i use this field to put there a PIN like 1234 for that user, and use this value as "secondary password" for that user via secondary authentication on a realm/loginpage?

So, the idea is:

User goes to loginpage.

User types in Domainusername and his Domainpassword.

Then in a third login-field the user "clicks" his PIN with the mouse on a virtual keyboard on the screen.

And that third field has to be that PIN, which is the value of the Active Directory attribute physicalDeliveryOfficeName.

I have to do this only via radius as the users are from different active directories and can only be authenticated via radius proxy.

It works fine with local users, but i would prefer to use any field in user properties from active directory.

spacyfreak_ · ‎02-28-2009

So the question is -

is there a solution guide or some hints how to use active directory user properties field in combination with IAS Radius and "check" with secondary login if the secondary "password[2]" (which is a 4-digit PIN Number) which the user "clicks" via virtual keyboard is the same value as the value of that attribute in active directory..

i dont know if someone knows what i am talking about... ;-)

muttbarker_ · ‎02-28-2009

Not in front of my SSL VPN box so I can't look at anything but you raise some interesting questions. The first issue is linking a radius attribute to a specific MS attribute. This is not an SSL question but a Microsoft question. I know that you can use "vendor specfic" radius attributes in IAS but I have never tried to link to a MS AD attribute life you refer to. I think you have to solve that problem external to the SSL box first.

Question - can you use LDAP instead? It is really easy to use LDAP and link to an AD attribute and use that as part of the auth process. I am not sure about using it as a "password" but you can use it as a user-ID type attribute. You are just looking for a secondary attribute validation right?

Message Edited by muttbarker on 02-28-2009 11:57 AM

spacyfreak_ · ‎02-28-2009

Yes - you have got it¡!

Yes, its validation of a second "password".

I would like to do it with ldap, but as i have to implement users from many different active directories without trust relationship i can only use radius proxy...

I can imagine this "could" work with ldap, maybe i can use the attribute in role mapping rules, with custom expression or user attribut.

But - HOW? I would like to know how i can use ldap to accomplish the task.

spacyfreak_ · ‎03-02-2009

not fixed yet - JTAC maybe will find a way in their testlab.

The syntax of custom expressions could be better documented with more examples - though the admin manuals are great and the appendix gives much informations about custom expressions.

[email protected] = [email protected]

custom expressions dont accept syntax like password[2]

Thats irritating that depending on the admin console you have sometimes to use this synthax, on other pages another one.

anyway, i found another solution if this one does not work i will turn another way with external radius servers with debian and freeradius.

experts wanted...attribute in user properties from active directory as secondary password via radius

experts wanted...attribute in user properties from active directory as secondary password via radius

Re: experts wanted...attribute in user properties from active directory as secondary password via ra

Re: experts wanted...attribute in user properties from active directory as secondary password via ra

Re: experts wanted...attribute in user properties from active directory as secondary password via ra

Re: experts wanted...attribute in user properties from active directory as secondary password via ra