Centrify Identity Service, App EditionQuestion:
Which Authentication Challenges can be used to provide Multi Factor Authentication (MFA) for Radius connections, and how should they be used?Answer:
Radius implementations, by design, can only support a various set of challenges and labels for the challenge. Please use the reference below for instructions on how to use each of the challenges.Note: Regardless of the Challenges selected in Challenge 1 of the Authentication profile, "Password" will be initially displayed on the end point after username, and is not modifiable by Centrify regarding the verbiage shown to the User, such as Challenge 2 is able to do. This is a limitation of Radius, and not Centrify. With this in mind, it is recommended to always have Challenge 1 be "Password" to avoid any confusion.
Password- This is the User's password (Active Directory, LDAP, Cloud User, etc)
Mobile Authenticator- This option is only available if User's have enrolled a mobile device using Centrify mobile app. The User must enter the access code shown, or if clicking the link in Authenticator, then the user will need to enter a '1' to proceed. Clicking the link will not work if used on Challenge 1.
Phone Call- This option will only show if the User has a phone number or mobile phone number listed in their directory (Cloud, Active Directory, LDAP). Once call is received and authentication is completed, the User will need to enter a '1' in the challenge on the End Point (Cisco AnyConnect desktop client, etc) to proceed. This option may not be used for Challenge 1.
Text Message (SMS)- This option will only be available if the User has a Mobile phone number entered in their directory (Cloud, Active Directory, LDAP). The User should manually enter the code delivered via text message into the challenge window of the End Point. If the url in the SMS is clicked, then the User will need to enter a '1' in reply to the challenge. This option may not be used for Challenge 1.
Email Confirmation Code- This option will only show if the User has a valid Email address in the source directory. (Cloud, Active Directory, LDAP). If Email is used, the User will need to confirm that authentication attempt by clicking on the email approval hyperlink, and then entering a '1' in the challenge window of the End Point. This option may not be used for Challenge 1.
User Defined Security Question- This option is only available if the User has logged in to the User portal (https://cloud.centrify.com/my) and set the Question and Response. This will display the question, and require the case sensitive answer which was defined by the User.
OATH OTP Client- This option will be available if the User has configured an OTP client (Google Authenticator, YubiKey, etc). User will enter the displayed code or insert token with cursor in the text entry field and press button to pass OTP code.
3rd Party Radius Authentication- This is used when a secure token is used which relies on a Non-Centrify/external Radius server (RSA tokens, etc). User will enter the token code when prompted.