Releases: MultifactorLab/multifactor-radius-adapter
2.1.18
Release 09.10.2024 | Nested groups search
New
- Support
msRADIUSFramedIPAddress
attribute for return using RadiusReply. - Forced multifactor api timeout. Use the following syntax:
value=hh:mm:ss!
to set the timeout less than the minimum recommended. - A new appSetting configuration section. Now you can specify the containers in which to search for nested groups:
<add key="nested-groups-base-dn" value="CN=Users,DC=domain,DC=your;OU=Admins,DC=domain,DC=your"/>
Bugfixes
- Fixed: Incorrect behavior of conditional return of attribute value when using RadiusReply.
2.1.16
Release 30.08.2024 | Config adjustment
Bugfixes
- API URL was adjusted in the config file
2.1.14
Release 23.08.2024 | UserNameTransformRules extended and bugfixes
Bugfixes
- Username Transformation Rules works properly with every fist factor source, for example with a RADIUS server in RADIUS mode.
New
- Added extended name transformation section to transform an identity before first factor and before second separately.
Note, the sectionUserNameTransformRules
should be registered in aconfigSections
section of a client config:Example of a<configSections> <section name="UserNameTransformRules" type="MultiFactor.Radius.Adapter.UserNameTransformRulesSection, multifactor-radius-adapter" /> </configSections>
UserNameTransformRules
settings:<UserNameTransformRules> <BeforeFirstFactor> <add match="d.jones" replace="j.doves" /> </BeforeFirstFactor> <BeforeSecondFactor> <add match="d.jones" replace="j.doves" /> </BeforeSecondFactor> </UserNameTransformRules>
2.1.12
Update README.md
2.1.10
Release 29.07.2024 | Environment Variables
The Adapter now supports environment variables: you can setup adapter via setting the OS environment variables.
This approach has a number of advantages:
- independence from configuration files: solves the problem of possible overwriting of files;
- easier containerization: just set a set of environment variables inside the container;
- increased security: sensitive data can be transferred via variables without using the file system.
To set variable correctly you should use RAD
prefix for variable names.
You can find more information and examples in README.
2.1.8
Release 01.07.2024 | FreeIPA bind on a RADIUS auth source
Bugfixes
- Fixed: Bind Identity Formatters works properly with FreeIPA when an auth source of RADIUS type.
2.1.6
Release 07.05.2024 | Extra Attribute
Fixed:
- The Adapter was added
Message-Authenticator
attribute to response in some cases
2.1.1
Release 22.04.2024
Cyrillic Passwords
The Adapter now supports Cyrillic passwords (any non-ASCII symbols, in general).
⚠️ Warning
Note: Make sure that the correct symlinks exist for thelibldap.so.2
andliblber.so .2
.
Learn more
2.0.73
Release 19.04.2024 | 2FA Pre Auth
The Adapter now supports new mode: Second Factor Authentication before First Factor Authentication.
If this mode is enabled, the user will have to confirm the second factor before he can proceed to confirm the first (login/password).
All current features such as BYPASS and INLINE ENROLLMENT are available in the new mode as well.
Note: The Second Factor Authentication before First Factor Authentication mode is not available for Winlogon and RDGW resources.
All available methods - push, telegram, otp - specifies the preferred method for the current user during the authentication session on the Multifactor Cloud side. This means that the specified method will be preferred. But if this method is not available, the next one will be used according to priority.
In otp mode, the user must enter the OTP code in the User-Password
attribute along with the password. If no password is required, the user only needs to enter the OTP code.
Examples of User-Password
attribute content:
- password + otp: mypassword123456
- otp only: 123456
Configuration
You can activate this mode by adding the following option to the client config:
<add key="pre-authentication-method" value="METHOD"/>
Allowed METHOD values: none (by default), push, telegram, otp.
If the mode is enabled (push, telegram, otp) it is necessary to add invalid credential delay settings in root or client level config:
<add key="invalid-credential-delay" value="DELAY"/>
The minimal value of DELAY must be 2.
Note: The Invalid Credential Delay feature can now be enabled in both root and client configurations. At the same time the delay setting specified in the root config will be overridden by the client level setting.
Configuration examples
<!-- feature disabled -->
<add key="pre-authentication-method" value="none"/>
<add key="invalid-credential-delay" value="0"/>
<!-- push -->
<add key="pre-authentication-method" value="push"/>
<add key="invalid-credential-delay" value="2"/>
<!-- telegram -->
<add key="pre-authentication-method" value="telegram"/>
<add key="invalid-credential-delay" value="3-5"/>
<!-- otp -->
<add key="pre-authentication-method" value="otp"/>
<add key="invalid-credential-delay" value="4"/>
2.0.70
Release 26.03.2024 | Ldap Attribute Pattern Matching Fix
Bugfixes
- Fix type mismatch on a custom ldap attribute retrieving operation.
- Enable console log in case of a startup-fail error.