To use a 3rd party RADIUS server for token checks in the authentiation process, configure the JSP-Loginapp as follows.
Configuration for authentication
- Go to:
MAIN SETTINGS >> Main Authenticator
(or alternatively Loginapp >> Authentication Settings >> Authenticator) - Connect a RADIUS Authenticator plugin as the second authentication step in the Main Authenticator.
- Configure the RADIUS Authenticator with the information obtained from the 3rd party RADIUS server.
- Set IP, port, and shared secret.
- Define rules mapping responses of the RADIUS servers to Airlock IAM internal states.
- Examine the pre-configured RADIUS Authenticator plugin(s) in the configuration templates to learn how to configure them.
Configuration for password change
When authenticating using a RADIUS server, the password change can only be initiated by the server, i.e., only enforced password change during the login process is possible.
There is no way for a user to initiate a password change.
- We assume the RADIUS server responds with the following access challenges:
- First message: Please choose a new password.
- Second message: Please confirm the new password.
- In the RADIUS Authenticator, configure two new Access Challenge Rules as follows:
- First Rule:
- Pattern: Must match the first message above. Example: Please choose a new password
- Authentication Result: New PIN required
- Second Rule:
- Pattern: Must match the second message above. Example: Please confirm the new password.
- Authentication Result: New PIN required
This will cause IAM to display the New PIN Required page (new-pin), where the user must enter and confirm the new password.