1.0.239

Release 19.04.2024 | 2FA Pre Auth

The Adapter now supports new mode: Second Factor Authentication before First Factor Authentication.
If this mode is enabled, the user will have to confirm the second factor before he can proceed to confirm the first (login/password).
All current features such as BYPASS, INLINE ENROLLMENT and PASSWORD CHANGE are available in the new mode as well.

Note: The Second Factor Authentication before First Factor Authentication mode is not available for Winlogon and RDGW resources.

All available methods - push, telegram, otp - specifies the preferred method for the current user during the authentication session on the Multifactor Cloud side. This means that the specified method will be preferred. But if this method is not available, the next one will be used according to priority.

In otp mode, the user must enter the OTP code in the User-Password attribute along with the password. If no password is required, the user only needs to enter the OTP code.
Examples of User-Password attribute content:

• password + otp: mypassword123456
• otp only: 123456

Configuration

You can activate this mode by adding the following option to the client config:
<add key="pre-authentication-method" value="METHOD"/>
Allowed METHOD values: none (by default), push, telegram, otp.

If the mode is enabled (push, telegram, otp) it is necessary to add invalid credential delay:
<add key="invalid-credential-delay" value="DELAY"/>
The minimal value of DELAY must be 2.

Configuration examples

<!-- feature disabled -->
<add key="pre-authentication-method" value="none"/>
<add key="invalid-credential-delay" value="0"/>

<!-- push -->
<add key="pre-authentication-method" value="push"/>
<add key="invalid-credential-delay" value="2"/>

<!-- telegram -->
<add key="pre-authentication-method" value="telegram"/>
<add key="invalid-credential-delay" value="3-5"/>

<!-- otp -->
<add key="pre-authentication-method" value="otp"/>
<add key="invalid-credential-delay" value="4"/>

1.0.236

Release 29.02.2024 | Fixed choosing the 2FA confirmation method

Bugfixes

• Fixed: Keep state between Authentication requests

1.0.231

Release 21.02.2024 | Added custom identity attribute

New

• Added the use-attribute-as-identity setting, which allows you to specify the attribute that will be used as an identifier when checking the second factor.
  SHOULD use the new setting instead of use-upn-as-identity.

<!-- Use the specified attribute as the user identity when checking the second factor-->
<add key="use-attribute-as-identity" value="mail"/>

1.0.226

Release 19.01.2024 | Fix default config

Bugfixes

• Fixed: default proxy settings.

1.0.222

Release 17.01.2024 | Reduced http-request timeout

New

• Reduced http-request timeout.
• Important! The App.config configuration file now contains the technical information necessary for the correct launch of the application. You should not replace the App.config file, instead you should edit the <appSettings> section.

1.0.216

Release 13.09.2023 | Add pre-Windows 2000 logon name support

New

• The user can use a pre-Windows 2000 logon name for authentication: "netbiosname/username".
  This feature conflicts with the setting <ActiveDirectory requiresUserPrincipalName="true">.
• Extended logging.

1.0.209

Release 13.06.2023 | No Response In the Proxy Mode

New

• New adapter behavior in the following scenario:

  • the first-factor-authentication-source is Radius;
  • the nps-server-endpoint is specified;
  • NPS did not return a response.

  In this case, the adapter will not return a response.
  Old behavior: Adapter returned an Access-Reject response.

1.0.206

Release 26.04.2023 | Sufficient Modifier

New

• New sufficient property in the optional RADIUS atribute definition:
  <add name="Class" value="value" when="condition" sufficient="true" />.
  Allowed values: true, false (by default).

How it works

If the attribute matches the conditions, it is added to the RADIUS packet. If the attribute also has the sufficient=true property, the adapter stops evaluating the optional attribute stack. The sufficient property only takes effect if the attribute passes the conditions check.

The example shows a case in which Custom-Attr attribute will not be added to the response:

<RadiusReply>
    <Attributes>
      <add name="Class" value="VPN-GP"/>
      <add name="Class" value="VPN-G2P" when="true statement" sufficient="true" />
      <add name="Custom-Attr" value="Attr" when="true statement"/>
    </Attributes>
</RadiusReply>

1.0.203

Release 25.04.2023 | Partial Privacy Mode

New

• New syntax for the privacy-mode setting. Now you can use Partial privacy mode:
  <add key="privacy-mode" value="Partial:FIELD_NAME" />
  In Partial mode, the adapter sends only the specified fields to the API.

  The FIELD_NAME value can be one of: Name, Email, Phone, RemoteHost:
  <add key="privacy-mode" value="Partial:Email" />
<add key="privacy-mode" value="Partial:RemoteHost" />

  You can also specify multiple fields by separating them with commas:
  <add key="privacy-mode" value="Partial:RemoteHost,Name,Phone" />

  If you have not specified any field, the adapter will work in the Full mode.

  Standard modes are also available:
  None (by default) - in this mode, the adapter sends all data to the API.
  Full - in this mode, the adapter sends only Identity field.

1.0.200

Release 05.04.2023 | Multiple values support in a When statement of RadiusReply

New

• Multiple values in a when clause of a Radius Reply config section. A clause matches when one of a values provided is equal to the left side.
  See the example below.

  <RadiusReply>
      <Attributes>
        <add name="Class" value="VPN-GP" when="UserName=John Smith;Ivan Ivanov"/>
        <add name="Class" value="VPN-G2P" when="UserGroup=Domain Admins;Administrators"/>
      </Attributes>
  </RadiusReply>