To enable this functionality, the Enable 2-Step Logons (Password + OTP via Access-Challenge) check box will need to be enabled on the RADIUS tab of Authlogics Global Settings (see image below)
There may be scenarios where you would like some RADIUS clients to provide username and password first and then the MFA OTC as a second authentication control but for another RADIUS client, rely on simple username and MFA OTC. When the above is enabled, then all clients will require both a password and One Time Code to authenticate users. However, Authlogics provides functionality which allows some RADIUS clients to authenticate with username and OTC while others follow the 2 Step process.
NOTE: This functionality is available in V4.2 deployments and above. Please ensure that you have upgraded the Authlogics Authentication Server to the latest version before continuing.
To enable this Hybrid functionality, please follow the process below:
- Ensure that the “Enable 2-Step Logons (password + OTP via Access-Challenge)” is disabled (Off)
- On all the Authlogics Authentication Servers, run the Regedit Command and browse to the Key HKLM\Software\Authlogics\Authentication Server
- Right-Click on Authentication Server and create a new String Value with the name “RadiusAccessChallengeOverrideIpAddresses”.
- Once the key has been created, enter the IP Addresses of the RADIUS Clients (Please refer to the Authlogics Installation and Configuration Guide for more information on RADIUS clients) which will require the 2 Step login Process. If support for more than one RADIUS client is required, enter the IP addresses comma separated.
NOTE: These are the IP Addresses of the RADIUS Client specified under Network Policy Server – RADIUS Clients
In the above example, the Clients “Authentication Server” and “Palo Alto” will require 2 Step logon validation where the “Citrix CAG” RADIUS client will authenticate using username and OTC alone.
0 Comments