NimbostratusAPM - RADIUS Variables
We have a APM profile that runs our VPN. Currently, the users input the SAMAccountName into the username field, and then in the password field, the combine their 2 factor token and their password. We then hand that off to our Active Directory Servers via RADIUS. The application then verifies both the token and the password.
What I would like to do is create a third field on the logon page that allows users to separate out password and token, and then in the background I would like to combine the token and password fields to send via RADIUS to the Active Directory servers.
Im having a hard time figuring out how to do this thought. I have attempted to do a variable assign within the VPE, in which I create a new session variable and concatenate the two fields, but I dont know how to get the next object (RADIUS Auth) to use my new session variable.
Unfortunately all authentication Policy items (AD auth, RADIUS auth, LDAP, securid auth) assume that:
- The source of the username is "session.logon.last.username"
- The source of the password is "session.logon.last.password"
- The source of the password is encrypted
So in order to do any 2-factor authentication you have to:
- collect the token, username, and password together in the logon page
- make sure your token code is in session.logon.last.password (use a variable assign)
- do the token auth
- make sure your password is in session.logon.last.password (use a variable assign)
- do the password auth
- make sure the SSO variables are mapped to the password auth
We do have an enhancement request ID400742 to allow for a user-defined tokencode source for RADIUS, which eliminates the variable assign step(s) (1-2 depending on how your access policy is set up). If you think this would be helpful, you can feel free to open a support ticket to request this functionality. Provide the ID number in the ticket.
