For RADIUS Server event, you can specify multiple chains. As part of the RADIUS challenge-response authentication, it is possible to explictly define a chain to authenticate with through appending the shortname of the chain to the end of username with an ampersand, i.e. <repo>\<username>&<chain short name>.
It would be more beneficial to be able to specify a chain through a RADIUS attribute (for example, AA-Chain=<shortname> as some RADIUS clients see the ampserand as part of the username as an 'illegal character' and thus making it not possible to explicitly specify a specific chain that has been added to an event.
by: Tim S. | over a year ago | Integrations
Comments
I am wondering if the ability to specify the delimiter would also help. One that is not an invalid character for some VPN systems. I will add this enhancement request and reference this request as well.
Also see Idea #13801 "Ability to specify the shortname deliminator and placement" (https://ideas.microfocus.com/MFI/advance-authentication/Idea/Detail/13801)
To provide more context, we've discovered that at least one of our enterprise solutions we want to integrate with AA does not work with the 'mutating' of the username. The solution in question validates the incoming username against it's own repository (authorization check, etc.)before allowing authenticating. Even with being able to specify a delimiter, we would then have to program in logic for each application to ignore the delimiter and the trailing characters.
Tim, what is a preferred attribute name?
We do not have a preference either way. It would make sense for the product team to define this OR let each customer define it for their own environment.
Tim, thank you. Devs are also asking about type of the attribute: should it be a normal one or a vendor specific attribute?
George, I am not too sure to be honest. I guess if it is user defined, then the user could use a normal one or re-use a vendor specific attribute.