× Welcome to the Centrify Community! Looking for Express & Smart Card Help? Click Here

Configuring RADIUS to use an alternate username during Multi Factor Authentication.

Configuring RADIUS to use an alternate username during Multi Factor Authentication.

By Centrify Advisor IV ‎03-28-2017 04:59 PM

By default, when working with a 3rd party RADIUS server, there may be a username mismatch when authenticating through Centrify:

 

Long Story: 

You are using Centrify Multi Factor Authentication and linking to an external RADIUS server

The RADIUS authentication is failing

The external RADIUS server says "username not found"

 

Explanation:

We send the username in one format (ie email) and the RADIUS server is expecting another format (ie short name).

 

Solution : 

In 17.3 there is a new RADIUS feature that lets you specify which attribute to send to the 3rd party server. 

 

In the CIS Admin Console, navigate to Settings -> Authentication -> RADIUS Connections -> Servers tab

 

Screen Shot 2017-03-28 at 2.22.27 PM.png

 

 

 

By default, the Canonical Name attribute is sent to the RADIUS Server. The Canonical Name is constructed as follows:

 

For AD users it is set to one of the following (in this order):

  1. userPrincipalName, if that field's format is usable (not empty and doesn't start with "@"), otherwise
  2. the concatenation of sAMAccountName, a "@", and the AD domain.

For Centrify cloud users it is the contents of the "Name" field.

 

You can configure the service to send any  directory attribute.  For many services, you will want to send the AD sAMAccountName attribute. (See below)

You can enter any Active Directory by entering the AD attribute in the Custom field. 

 

Showing results for 
Search instead for 
Do you mean 
Labels

Community Control Panel