Skip to content

Assisted Login Configuration

Assisted Login (Authentication Type 9) allows managers, administrators, and other authorized personnel to grant temporary access to end-users who typically do not require permanent access to certain resources. This feature is applicable to both LDAP and database accounts and can be configured either as a default authentication type or on a per-account basis using the Read Optional Attributes feature.

Additionally, in environments where the RADIUS protocol is not supported or for integrating custom web pages, the Magic Link API provides an alternative authentication method. This API enables second-factor authentication using users' mobile numbers (MSISDN), allowing for flexible and customized authentication workflows.

Specify Assisted Login Users

Mideye Server uses LDAP Profiles to define the authentication methods for users. To specify Assisted Login for specific users within an LDAP Profile, follow the steps below.

  • Navigate to LDAP Profiles in the Mideye Server web interface.
  • Open the relevant LDAP Profile by selecting it from the list.
  • Locate the Default Authentication Type in the Authentication tab.
  • Set it to ASSISTED LOGIN (9).

In most environments, a combination of TOUCH_ACCEPT/SMS and ASSISTED LOGIN users is required. To achieve this:

  1. Enable Optional Attributes:

    • Within the LDAP Profile settings Authentication tab, check the Read Optional Attributes box.
    • Specify an Active Directory attribute to host the optional attribute. The default attribute is Pager.

  2. Assign Assisted Login to Specific Users:

    • Open Active Directory Users and Computers (ADUC).
    • Select and open the user account that should use Assisted Login.
    • Navigate to the Telephones tab.
    • In the Pager field, enter 9.

Creating a New Assisted Login Profile

Follow these steps to create a new Assisted Login Profile:

  1. Navigate to Assisted Login Profiles:
  2. Go to Server Settings in the Web GUI.

  3. Select Assisted Login Profiles from the dropdown menu.

  4. Add a New Profile:

  5. Click on the Actions... button.
  6. Choose either Add a Normal Profile or Add a Federation Profile based on your requirements.

General Settings Tab

Configure the general settings for the Assisted Login Profile:

  • Profile Name:
    Assign a descriptive and unique name to the profile for easy identification.

  • Notification Attribute:
    Specify the notification attribute visible to the approver, informing them about pending Assisted Login requests.

  • Session and Idle Timeout:

  • Session Timeout:
    Set the maximum duration for the session. Applicable only if RADIUS Attribute 27 (Session-Timeout) is configurable on the RADIUS client (e.g., Cisco AnyConnect, Pulse Secure).

  • Idle Timeout:
    Set the maximum idle time for the session. Applicable only if RADIUS Attribute 28 (Idle-Timeout) is configurable on the RADIUS client.

Refer to RFC 2865 Section 5.27 and Section 5.28 for detailed information on these attributes.

  • Group Matching (Optional):
    Ensure that the approver and user groups have matching components in their Common Names (CN) to facilitate proper group-based access control.

Triggering of Assisted Login with AD groupname keywords. User and approver group membership is specified using wildcards, where the specified part indicates if it’s a user or an approver. The remaining (wildcard) part must match between the user and approver. This enables separation of access to multiple systems, without having to specify a separate Assisted Login profile for each system.

Add a friendly name and adjust session and idle timeouts
Add a friendly name and adjust session and idle timeouts.

Approver Tab

Configure the approver settings:

  • Approver Identification Attribute:
    Choose the LDAP attribute used to identify the approver. Default options include sAMAccountName and mobile, but it can be customized to any other available LDAP attribute. (The content of this attribute is what the users types in the challenge to send request to the approver)

  • Manager Attribute Match:
    In Active Directory Users and Computers (ADUC), ensure that the approver is listed as a Manager in the approver's LDAP profile.

  • Authorized Group Membership:
    Specify an LDAP group that includes all authorized approvers.

  • Pre-listed Approvers:
    Add approvers based on their unique IDs.

Note

Starting with Mideye Server 6.2, users and approvers are always whitelisted using their user IDs (i.e., the identifier used for login and approver ID). You only need to specify 'approver' in the Assisted Login Profile or enter 'approver@testlab.virtual' when prompted for the approver ID.

Approver setup
Approver setup.

User Tab

Users can either be specified by group or by username.

Configure the user settings:

  1. Authorized Group Membership:
    Specify an LDAP group that includes all users authorized to use Assisted Login.

  2. Pre-listed Users:
    Add users based on their User Principal Name (UPN).

Warning

If none of the options are selected, all users will be eligible for approval via Assisted Login.

User setup
User setup.

Additional Challenges

Enhance the Assisted Login flow by adding additional challenges to gather more information during login. This requires that the RADIUS client can handle challenge-response messages.

Additional challenges
Additional challenges.

RADIUS Client Configuration

Configure the RADIUS client to support Assisted Login:

Modify the RADIUS Client

  1. Navigate to RADIUS Clients:

  2. Go to RADIUS Settings > RADIUS Clients in the Web GUI.

  3. Edit the Desired RADIUS Client:

  4. Select the RADIUS client you wish to enable Assisted Login for.

  5. Click Modify.

  6. Enable Assisted Login:

  7. In the Assisted Login section, select the Assisted Login Profile created earlier.

Enable Disconnect Messages

If the RADIUS client (e.g., Pulse Secure) supports Disconnect Messages, enable this option to allow approvers to terminate ongoing sessions directly from the Mideye+ app.

RADIUS Server Configuration

Configure the RADIUS server to customize user messages during Assisted Login:

Configure Message Title

  1. Navigate to RADIUS Servers:

  2. Go to RADIUS Servers in the Web GUI.

  3. Edit the Assisted Login RADIUS Server:

  4. Select the RADIUS server used for Assisted Login and click Edit.

  5. Set User Messages:

  6. In the editing menu, click on User Messages.
  7. Scroll down to Assisted Login Messages.
  8. Specify the message under Assisted Login Touch Title that will be presented to the user during login.

Configure Lead Text

  1. Navigate to Assisted Login Messages:

  2. Within the same User Messages section, locate the Assisted Login Challenge field.

  3. Set Lead Text:

  4. Enter the desired text that will prompt the user (e.g., "Please enter your Approver ID" instead of the default "Approver ID").

End-User Experience

The following images illustrate the authentication flow when a user initiates an Assisted Login:

  1. User Attempts Login:


User consultant@testlab.virtual attempts to log in using username and password.

  1. Approver Notification:


The user is prompted to enter the approver ID, defaulting to sAMAccountName and mobile. The user enters the manager's sAMAccountName ('approver').

  1. Approver Approval:


The approver (approver) receives a notification that consultant@testlab.virtual is attempting to log in to RADIUS client 10.1.3.5. Upon tapping “Accept”, the authentication attempt is approved.

Assisted Login with RADIUS Disconnect Messages

If the RADIUS client supports RADIUS Disconnect Messages, the approver can terminate an ongoing session directly from the Mideye+ app.

  1. Session Status:


When an approved user is granted access, the session appears as “Online” if Disconnect Messages are enabled.

  1. Terminate Session:


Swipe left to view session details and click “Stop” to terminate the session.


Confirm termination by selecting “Yes”.

With the introduction of Magic Links, it is now possible to approve logins without requiring the approver to be Mideye+ activated. Approvers receive an SMS with a link that directs them to the Magic Link portal, where they can view login information and approve or deny the request.

Note

To use Magic Links, ensure they are correctly configured in the Mideye Server. Refer to the Magic Link Configuration for detailed setup instructions.

Assisted login Logs

Assisted login logs are located under Audit logs. See documentation here