For a RADIUS Server event, you can specify multiple chains which is very helpful in allowing the user to choose the best method to which they have enrolled - similar to the NAM "dynamic" capability. The user can specify the chain to authenticate with by appending the shortname of the chain to the end of username with an ampersand as a delimiter as in <username>&<chain short name>. However for some VPN clients such as the PaloAlto GlobalProtect, the ampersand and other "special characters" are illegal for usernames preventing them from using AA for MFA in this way (https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/device/device-password-profiles/username-and-password-requirements).
Another option to solve this problem is suggested in Idea #13763 "Specify chain through RADIUS attribute" (https://ideas.microfocus.com/MFI/advance-authentication/Idea/Detail/13763)
by: Paul M. | over a year ago | Integrations
Comments
We are working on the use of RADIUS attributes. This is an interesting case. I will update this suggestion as we progress.