Cisco ASA and PrivacyIDEA

bhoule · September 20, 2019, 9:46pm

I haven’t delved into the Questionnaire type yet. My concern would be how the “N correct answers out of M questions” fits into the RADIUS model, which is challenge-response rather than challenge-challenge-challenge-challenge-response. But for U2F and Email(PIE) types, it works right out of the box with otppin=tokenpin.

I don’t think token types can be selectively queried/screened based on policy. In my experience, the C-R PIN determines the context: if I use my U2F PIN, the YubiKey is prompted, but if I use my Email PIN, the email is generated.

cornelinux · September 21, 2019, 9:40am

You can have a toketype policy,
that will only allow certain tokentypes.

https://privacyidea.readthedocs.io/en/latest/policies/authorization.html#tokentype

wwalker · September 23, 2019, 2:29pm

To clarify “client IP”, is this the IP of the application or the IP of the user? For example, if a user at 10.0.0.120 is authenticating to an application at 192.168.1.1, Is the client IP 10.0.0.120 or 192.168.1.1?

I would imagine it would be the 10 address because you can’t always expect the application to forward the source IP of the remote user.