I have two realms set up, “domain” and “domain-2fonly”. There is a separate authentication policy applied to each realm. All TOTP tokens are assigned to both realms.
I am having an issue when trying to authenticate as a user from “domain-2fonly”, with just the token as the password, I can see in the audit logs it is matching on the “domain” policy and getting denied because the password format is not correct. Even if I give the “domain-2fonly” a lower priority number the “domain” policy still applies first.
The policy logic works a bit different. It is not exclusive and it is not firewall rules where the first matching rule wins and processing is stop.
Rather it is an addative logic where all matching policies are collected. In your case, if tokens are in both realms, both policy match. The ordering is only for contradicting policies.
Then the authentication policies are not checked in regards to to which realm a token is assigned, but in which realm a user authenticates. So if a user in realm “domain” authenticates this realm will be always used to match the policy.
So if I understood your setup correctly this is the expected behaviour.
Yeah, it doesn’t seem like that is going to work for what I am trying to achieve.
I want a way to authenticate the same token in different ways depending on how the security device handles MFA tokens. For one device I want to send the users password appended with the OTP token, and for another device, just the OTP token without the password.
This is all on top of freeradius. So the source will always appear to be localhost.
Sorry, by device I mean security appliance, what the user is authenticating to.
eg. Firewall1 doesn’t have any implementation for MFA so users have to send password+otp, while Firewall2 does understand MFA, so it prompts the user separately for password and the otp token and authenticates each separately.
Thanks for the quick reply. The setting the client IP seems to have got it working how I wanted.
