We are leveraging the NAS Identifier in that each of our RADIUS configurations have an Event for each chain. This enables us to provide our users a clever way to select which Chain they want to use without having to define the chain name as part of their username when they authenticate.

What is holding us back though is the inability to have an IP address in multiple RADIUS events.

Comments

  • This comes from not wanting our users to specify their chain by manipulating the username. The products we are integrating (Citrix Netscaler, Cisco ASA) allow for multiple authentication policies. On each product, we have three authentication policies (called Yubikey, mobile push, emergency OTP) where the target is the AAF server and the only difference between the policies is the NAS ID that is sent.

    On the AAF server, we have three different RADIUS events with a single chain (Yubikey, Mobile push, emergency OTP) with an appropriate NAS ID.

    Then on both Netscaler and AnyConnect, users (NetScaler: customized login page, AnyConnect: 'Group' selection once they choose their gateway) pick which authenticator they want to use and this affects which authentication policy their authentication attempt uses. As the NAS ID is sent with the RADIUS attempt, the AAF server knows that the OTP provided is a Yubikey vs mobile push or emergency OTP.