Forum Discussion

mengler_136249's avatar
mengler_136249
Icon for Nimbostratus rankNimbostratus
Aug 05, 2016

APM - RADIUS Variables

We have a APM profile that runs our VPN. Currently, the users input the SAMAccountName into the username field, and then in the password field, the combine their 2 factor token and their password. We...
  • Lucas_Thompson_'s avatar
    Aug 05, 2016

    Unfortunately all authentication Policy items (AD auth, RADIUS auth, LDAP, securid auth) assume that:

     

    1. The source of the username is "session.logon.last.username"
    2. The source of the password is "session.logon.last.password"
    3. The source of the password is encrypted

    So in order to do any 2-factor authentication you have to:

     

    1. collect the token, username, and password together in the logon page
    2. make sure your token code is in session.logon.last.password (use a variable assign)
    3. do the token auth
    4. make sure your password is in session.logon.last.password (use a variable assign)
    5. do the password auth
    6. make sure the SSO variables are mapped to the password auth

    We do have an enhancement request ID400742 to allow for a user-defined tokencode source for RADIUS, which eliminates the variable assign step(s) (1-2 depending on how your access policy is set up). If you think this would be helpful, you can feel free to open a support ticket to request this functionality. Provide the ID number in the ticket.