Hello!
Cornelius, please guide me, is it possible to implement this kind of
authentication scheme with PrivacyIdea:
- LDAP/AD user authenticates with his credentials. This user must be a
member of AD security group. If he is not or his account is
expired/disabled or password is incorrect - the first stage of
authentication fails. If everything is ok, proceed to the next stage.
- OTP Value sent to user via SMS. User enters OTP Value without OTP PIN -
the second stage of authentication succeeds.
Result: Access granted.
Here comes the tricky questions:
- Is it possible to do LDAP/AD group membership checking? I know
FreeRADIUS support this.
- I understand that SMS token is a challenge response token. It means that
the first request needs to contain the correct OTP PIN. If the OTP PIN is
correct, the sending of the SMS is triggered.
What happens if Administrator defines a policy that sets otppin=none ? Is
it possible to automatically send one predefined standart PIN to the user
after the first stage of authentication? Or maybe just use mangle policy?
Need some help! 
Thank you!
Hello!
Cornelius, please guide me, is it possible to implement this kind of
authentication scheme with PrivacyIdea:
- LDAP/AD user authenticates with his credentials. This user must be
a member of AD security group. If he is not or his account is
expired/disabled or password is incorrect - the first stage of
authentication fails. If everything is ok, proceed to the next stage.
- OTP Value sent to user via SMS. User enters OTP Value without OTP
PIN - the second stage of authentication succeeds.
Result: Access granted.
Yes, this is possible.
Here comes the tricky questions:
- Is it possible to do LDAP/AD group membership checking? I know
FreeRADIUS support this.
Yes, You can use the attribute memberOf in the resolver config.
- I understand that SMS token is a challenge response token. It means
that the first request needs to contain the correct OTP PIN. If the
OTP PIN is correct, the sending of the SMS is triggered.
Correct.
What happens if Administrator defines a policy that sets otppin=none ?
What you want is setting
otppin=userstore
Kind regards
CorneliusAm Montag, den 25.01.2016, 05:51 -0800 schrieb Lokkenarium:
Is it possible to automatically send one predefined standart PIN to
the user after the first stage of authentication? Or maybe just use
mangle policy?
Need some help! 
Thank you!
–
You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/69f1b6e6-c27a-4238-83a6-e3e409abfc3f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
–
Cornelius Kölbel
@cornelinux
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
signature.asc (836 Bytes)