nfactor + domain dropdown + password + passcode + all in one screen

[Rob Hoffman1709162939]

Hello,

I have a request to change the authentication for a VPN where currently the users currently authenticate using classic policies: pre-authentication -  domain check, authentication - user, password and passcode to support two domains.

Pre-authentication policies are deprecated so I need to use nfactor.

The logon screen need to have all fields: user, password, passcode and domain drop box.  But I cannot find a way to authenticate the user.

In nfactor flow I added an epa factor which work ok (no schema).

Then the next factor is the actual main screen with all the elements described above (custom schema, copy of DualAuth.xml and added drop down for domains).

Then I added a decision block to select the domain.

The next factor is LDAP based on selected domain (no schema).

The next factor is RADIUS (no schema).

It seems the credentials do not pass from the first screen to the last two factors.

I am wondering if anybody encountered this before and how to solve it if possible.

[Julian Jakob]

Hi,

 

there are different nFactor-Flow-Ways to achieve this - but let's talk about your setup and just two ideas what could be missing in your setup, as you wrote the credentials do not pass from previous factors.

 

1. To pick to entered Username from the first factor to be entered in further factors (with Read-Only) checkout the ${AAA.USER.NAME} Value in your LoginSchema XML. An example:

<Type>username</Type></Credential><Label><Text>Username</Text><Type>plain</Type></Label><Input><Text><ReadOnly>true</ReadOnly><InitialValue>${AAA.USER.NAME}</InitialValue>

 

 

2. To give ADC infos about which field is Username and which is Password, to transfer into further factors, check your credential index for Username and Password in your LoginSchema:

 

Example:

 

Hope this helps

Regards

Julian

[Rob Hoffman1709162939]

Thanks Julian. I noticed that if I used the decision block for domain selection, it broke the flow. Not sure if I made a mistake but once I took it out and changed a few things worked.

 

This is setup now:

First factor is domain membership. Works ok.

Second factor is the decision where the domains are selected. The schema is a customized DualAuth.xml and added the dropdown combo box from DomainDropdown.xml.

The two policies on second factor are NO_AUTH and are used to select the domain using these 2 expressions:

HTTP.REQ.BODY(500).AFTER_STR("domain=").CONTAINS("domain1")

HTTP.REQ.BODY(500).AFTER_STR("domain=").CONTAINS("domain2")

 

The ldap and radius factors have on schema (noschema) these below:

User expression (on both): aaa.LOGIN.USERNAME

LDAP Password Expression: aaa.LOGIN.PASSWORD

RADIUS Password Expression: aaa.LOGIN.PASSWORD2

 

Seems to work fine now. Still wondering if not using the decision block is a god decision. 

 

There is one annoying thing though. On VPN client, the users need to scroll now to select the domain. Do you know if this can be enlarged by default ?