locked
UAG portal with different authentication options RRS feed

  • Question

  • Hello,

    I would like to set up an UAG portal with two different authentication methods; users from country A would authenticate to an Active Directory server, and users from country B would authenticate to a RADIUS server. So users would see both authentication options on the login page but they would only use the one that match their country.

    Is there a way I can do this with UAG?

    Thank you.

    Tuesday, May 22, 2012 8:52 AM

Answers

  • Hi FLaroc,

    This is very simple. After you create the two authentication servers (repositories) you configure both on the "Authentication Trunk" and choose the "Users choose authentication server" and "Provide a serer list at user logon" options:

    Authentication

    When the users will log to the UAG, they will be present with dropdown to choose the correct authentication method:

    LoginPrompt

    Hope this answer your question.

    Ophir.

    Tuesday, May 22, 2012 1:25 PM

All replies

  • Hi FLaroc,

    This is very simple. After you create the two authentication servers (repositories) you configure both on the "Authentication Trunk" and choose the "Users choose authentication server" and "Provide a serer list at user logon" options:

    Authentication

    When the users will log to the UAG, they will be present with dropdown to choose the correct authentication method:

    LoginPrompt

    Hope this answer your question.

    Ophir.

    Tuesday, May 22, 2012 1:25 PM
  • Thank you ophirp for your answer.

    But with this configuration, users have the choice of repositories. Let's say both countries can authenticate to AD, but I'd like to force users from country B to authenticate to Radius. I could add a Javascript code in Login.asp to make a check but that can be easily bypassed. I could also do it in postpostvalidate.asp so that the check is made from server-side (I retrieve the user country and check that he has authenticated to the correct repository). But perhaps there is there another way to do it?

    Thank you.

    Tuesday, May 22, 2012 4:03 PM
  • Hi Flaroc,

    Sorry for the confusion. I didn't realize you want to force the user for a specific repository.

    What you can try to do, is to add custom login.inc with the following:

    <%

    ForceRepository="NameOfRepository" '  Should be either the AD or the Radius based on your logic

    repositories.NameVec=Array(ForceRepository)

    %>

    This will remove the drop down for the users, and will "force" them to authenticate with a specific repository.

    Hope this helps.

    Ophir.

    Tuesday, May 22, 2012 4:11 PM
  • You could perhaps use my code from here: http://social.technet.microsoft.com/Forums/lv/forefrontedgeiag/thread/c81c6714-5a07-4354-9e54-59cd1e898805

    Source IP is never a great form of identity, but it may be the only way you can automate the logic you require...

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Tuesday, May 22, 2012 11:04 PM
  • Thanks ophir and Jason!

    But since the users connect from the Internet around the world, I don't know which repository to enforce depending on the source IP.

    If I understood well, the login.inc content applies before the user validates the login form, so I have no choice but to check the validity of the repository in postpostvalidate? ie check that the provided username matches country A and that the user selected the correct repository.

    Wednesday, May 23, 2012 12:42 PM
  • Hi FLaroc,

    I think the missing part here, is how would you know which country a user belongs to?

    As Jason suggested, you can do it based on source-IP (assuming you know how to map the source-IP to the user's country).

    If the only way for you to map the user to a country after you identify the user (i.e. lookup in some internal table) then I think you will have a chicken-egg problem, as you cannot force the user to a specific repository before they provide credentials, and you cannot validate the credentials before you know which repository to use ...

    Can you please clarify how you are planning to map the country if not by Source-IP ?

    Ophir.

    Wednesday, May 23, 2012 12:49 PM
  • What is the business aim that you are trying to achieve?

    If country selection is not going to be a user selection, how will you identify this variable?


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Wednesday, May 23, 2012 12:49 PM
  • Hi FLaroc,

    I think the missing part here, is how would you know which country a user belongs to?

    As Jason suggested, you can do it based on source-IP (assuming you know how to map the source-IP to the user's country).

    If the only way for you to map the user to a country after you identify the user (i.e. lookup in some internal table) then I think you will have a chicken-egg problem, as you cannot force the user to a specific repository before they provide credentials, and you cannot validate the credentials before you know which repository to use ...

    Can you please clarify how you are planning to map the country if not by Source-IP ?

    Ophir.

    Seems we are asking the same questions :)

    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    Wednesday, May 23, 2012 12:50 PM
  • The main idea is that all users can authenticate to the AD, but some countries have higher security requirements and also provide a Radius authentication. This is why I wanted that the "low-security" countries are allowed to use AD authentication, but the "high-security" are enforced a Radius authentication, all through a unique portal.

    But as you properly noticed, I can't know which country a user belongs to, before he validates the form. I need at last the username, in order to make a LDAP request to a backend server, and retrieves the country. After I get the country, I know which repository the user must authenticate to.

    But if I notice that a user authenticated to AD whereas he should have used Radius, it's too late... It is indeed the chicken-egg problem :(

    What about putting a dropdown list in which the user selects his country? The rest of the login page would then dynamically change and expect the correct authentication... Easier said than done I guess.

    Otherwise I could stick to a simpler solution: I add an explanatory message on the login page, which tells users which repository to select in the dropdown list, depending on their country. I make the check in postpostvalidate and denies access if the user selected the wrong repository.

    Wednesday, May 23, 2012 1:18 PM
  • Hi Flaroc,

     

    What about putting a dropdown list in which the user selects his country? The rest of the login page would then dynamically change and expect the correct authentication... Easier said than done I guess.

    That should be my original answer. Just make sure to name the repositories instead of "Radius" and "AD" by the country names, and then users will get option to choose a "country" which is basically, the correct repository name...

    Ophir.

    Wednesday, May 23, 2012 1:45 PM