Releases: MultifactorLab/MultiFactor.Radius.Adapter
1.0.275
1.0.271
Release 09.10.2024 | Nested groups search
New
- Support
msRADIUSFramedIPAddressattribute for return using RadiusReply. - Forced multifactor api timeout. Use the following syntax:
value=hh:mm:ss!to set the timeout less than the minimum recommended. - A new appSetting configuration section. Now you can specify the containers in which to search for nested groups:
<add key="nested-groups-base-dn" value="CN=Users,DC=domain,DC=your;OU=Admins,DC=domain,DC=your"/>
1.0.257
Release 20.09.2024 | Syslog TLS fix
Bugfixes
- Fixed: Error while trying to establish tls connection. Added a new configuration section to turn off tls
<add key="syslog-use-tls" value="true/false" />
1.0.253
Release 01.07.2024 | LDAP Profile Loading via Process User
New
- Attribute validation is always done through the Windows process user
1.0.249
Release 05.06.2024 | Log File Flush
New
- Added a setting to control the frequency of writing logs to a file. If you notice that the log is written to a file only after the Adapter process is stopped, you can use this setting:
<appSettings> <!-- This means that the log is guaranteed to be written to a file every 80 seconds --> <add key="log-file-flush-interval" value="00:01:20" /> </appSettings>
1.0.245
Release 07.05.2024 | Extra Attribute
Fixed:
- The Adapter was added
Message-Authenticatorattribute to response in some cases
1.0.242
Release 24.04.2024 | Unexpected Challenge Bug
Fixed:
- In some cases of REJECT response the Adapter switched to CHALLENGE mode.
1.0.239
Release 19.04.2024 | 2FA Pre Auth
The Adapter now supports new mode: Second Factor Authentication before First Factor Authentication.
If this mode is enabled, the user will have to confirm the second factor before he can proceed to confirm the first (login/password).
All current features such as BYPASS, INLINE ENROLLMENT and PASSWORD CHANGE are available in the new mode as well.
Note: The Second Factor Authentication before First Factor Authentication mode is not available for Winlogon and RDGW resources.
All available methods - push, telegram, otp - specifies the preferred method for the current user during the authentication session on the Multifactor Cloud side. This means that the specified method will be preferred. But if this method is not available, the next one will be used according to priority.
In otp mode, the user must enter the OTP code in the User-Password attribute along with the password. If no password is required, the user only needs to enter the OTP code.
Examples of User-Password attribute content:
- password + otp: mypassword123456
- otp only: 123456
Configuration
You can activate this mode by adding the following option to the client config:
<add key="pre-authentication-method" value="METHOD"/>
Allowed METHOD values: none (by default), push, telegram, otp.
If the mode is enabled (push, telegram, otp) it is necessary to add invalid credential delay:
<add key="invalid-credential-delay" value="DELAY"/>
The minimal value of DELAY must be 2.
Configuration examples
<!-- feature disabled -->
<add key="pre-authentication-method" value="none"/>
<add key="invalid-credential-delay" value="0"/>
<!-- push -->
<add key="pre-authentication-method" value="push"/>
<add key="invalid-credential-delay" value="2"/>
<!-- telegram -->
<add key="pre-authentication-method" value="telegram"/>
<add key="invalid-credential-delay" value="3-5"/>
<!-- otp -->
<add key="pre-authentication-method" value="otp"/>
<add key="invalid-credential-delay" value="4"/>1.0.236
Release 29.02.2024 | Fixed choosing the 2FA confirmation method
Bugfixes
- Fixed: Keep state between Authentication requests
1.0.231
Release 21.02.2024 | Added custom identity attribute
New
- Added the
use-attribute-as-identitysetting, which allows you to specify the attribute that will be used as an identifier when checking the second factor.
SHOULD use the new setting instead ofuse-upn-as-identity.
<!-- Use the specified attribute as the user identity when checking the second factor-->
<add key="use-attribute-as-identity" value="mail"/>