On Wed, Sep 11, 2019 at 9:17 PM drhy <[email protected]> wrote:
> Is it possible to use three authentication extensions, in order ? > > 1. initially authenticate using RADIUS, via Windows Network Policy Server > to > trigger Azure MFA, > 2. then if authenticated by RADIUS, to use LDAP to lookup Groups from > Active > Directory, > 3. then finally match one of the Active Directory Groups against a > configured Group held by a database (eg MySQL, Postgres), with the database > Group resulting in the user being presented with a list of preconfigured > connections and permissions connecting. > > If the RADIUS authentication failed then under this scenario the user > wouldn't be able to connect, and similarly if the Group/s from Active > Directory didn't match any in the database, then the user wouldn't be able > to connect. > > I suspect this will not work as you want it, for the following reason: - If RADIUS authentication happens, first, it will enforce MFA and ultimately succeed, but then the LDAP module won't actually try to bind with the username/password. I could be wrong about this - maybe it will go ahead and try - but I think a fully successful authentication by the RADIUS module would result in a login without any of the other modules actually trying to authenticate. Because the LDAP module bases its searches on the user who is logging in, if the user is successfully authenticated I'm not sure it'll actually try it. - If LDAP authentication happens, first, then LDAP will succeed and RADIUS will not be tried, so MFA will not be enforced. It may be worth messing around with it to see if any of those combinations work - including changing the ordering of how the authentication modules load - but I'm not optimistic it'll work exactly how you want it to. -Nick
