Configuring Assisted Login

This guide walks through setting up assisted login from scratch — creating a profile, defining approvers and users, assigning it to a RADIUS client, and verifying the configuration.

Note

For conceptual background on how assisted login works, see Assisted Login Concepts. For field-level reference of the admin UI, see Assisted Login Profiles.

Prerequisites

Before configuring assisted login, ensure the following are in place:

• LDAP or Entra ID profile — At least one directory profile must be configured so the server can look up users and approvers. See LDAP Profiles or Entra ID Profiles.
• RADIUS client — A RADIUS client must exist to assign the assisted login profile to. See RADIUS Clients.
• Approver device — Approvers need either the Mideye+ app activated (for push notifications) or a valid mobile phone number in the directory (for Magic Link SMS fallback).
• Directory groups (recommended) — Pre-create the LDAP/AD groups for users and approvers if using group-based matching.

Step 1 — Create a Profile

1. Navigate to Server Settings → Assisted Login Profiles.
2. Click the Settings button and choose:
   • Add a Normal Profile — for LDAP-backed, single-approver workflows
   • Add a Federation Profile — for identity-provider-backed, multi-approver workflows

Not sure which type?

Start with a Normal Profile — it covers most use cases. See Profile Types for a comparison.

3. Fill in the General tab:

   • Profile name — A unique, descriptive name (e.g., vendor-access, helpdesk-approval)
   • Notification attribute — The LDAP attribute shown to the approver to identify the user (default: displayName)
   • Session timeout / Idle timeout — How long the session stays active (defaults: 120s / 96s)
   • Groups matching part in CN — Enable for wildcard team-based matching (Normal profiles only)

   For federation profiles, set the Resource field to the federated application URI instead of timeouts.

See Assisted Login Profiles → General Tab for all field details.

Step 2 — Define Approvers

Switch to the Approver tab.

Configure Approver ID Attributes (Normal Profiles Only)

Set which LDAP attributes the server uses to look up the approver when the user enters an identifier. The defaults cover most scenarios:

sAMAccountName, mobile, userPrincipalName, mobilePhone, mail, uid

The server searches these attributes in order. Add or remove attributes based on your directory schema. At least one is required.

Add Approver Groups

Add directory group names whose members are authorized to approve. For example: VPN-Approvers, IT-Operations.

For federation profiles, use the full Distinguished Name (e.g., CN=VPN-Approvers,OU=Groups,DC=example,DC=com).

Add Approver Identities (Optional)

For explicit allow-listing of specific approvers, add individual usernames. For federation profiles, use userPrincipalName format.

Enable Manager Requirement (Optional, Normal Profiles Only)

Enable Require Manager if only the user’s direct manager should be able to approve. The server checks the manager attribute in the directory.

Caution

The value root is blocked in both approver and user identity lists for security reasons.

Step 3 — Define Users

Switch to the User tab.

Add User Groups (Normal Profiles Only)

Add directory group names whose members are eligible to request assisted login. Members of any listed group will match this profile.

Add User Identities

For explicit allow-listing, add individual usernames. Federation profiles support flexible formats:

Format	Example	Matches
UPN	user@partner.com	Exact user
Domain	partner.com	All users from that domain
Regex	.*@partner\.com	Pattern match

Step 4 — Add Challenge Questions (Optional, Normal Profiles Only)

Switch to the Additional Challenges tab to add custom questions that the user must answer during login. Answers are forwarded to the approver and recorded in the audit log.

For each challenge, configure a Question (shown to the user) and a Title (label shown to the approver alongside the answer).

Common examples:

Question	Title	Use Case
"Enter your ticket number"	"Ticket #"	IT support access
"Reason for access"	"Access Reason"	Compliance documentation
"Maintenance window ID"	"Window ID"	Scheduled vendor maintenance
"Requesting on behalf of"	"End User"	Help desk scenarios

Note

Only one challenge page per profile is supported.

Step 5 — Assign Profile to RADIUS Client

1. Navigate to RADIUS Settings → RADIUS Clients.
2. Edit the target RADIUS client.
3. Switch to the Assisted Login tab.
4. Select one or more assisted login profiles from the dropdown.
5. Save.

A RADIUS client can have multiple profiles. During authentication, the server evaluates profiles in order and uses the first one where both the user and approver pass validation.

Multiple profiles per client

Assign multiple profiles when different user groups have different approver requirements — for example, one profile for internal staff with manager approval and another for external vendors with operations team approval.

Step 6 — Configure RADIUS Messages (Optional)

Customize the prompts shown during the assisted login flow:

1. Navigate to RADIUS Settings → RADIUS Servers.
2. Edit the RADIUS server.
3. Update:
   • Assisted login challenge message — The prompt for the approver identifier (default: "Enter Approver ID:")
   • Assisted login touch title — The title in the Mideye+ push notification (default: "Assisted Login Request")

Step 7 — Test the Configuration

Quick Test via Admin UI

1. Navigate to RADIUS Settings → RADIUS Clients.
2. Click the Test button on the client with assisted login.
3. Use Test Approval with a userName and approverName to verify that user/approver matching works against the assigned profiles.

End-to-End Test

1. Initiate a RADIUS authentication from a test device.
2. Confirm the "Enter Approver ID:" challenge is returned.
3. Enter a valid approver identifier.
4. Verify the approver receives either a Mideye+ push notification or a Magic Link SMS.
5. Accept the request and confirm Access-Accept is returned.

Verify in Logs

• Authentication Logs — Navigate to Logs → Authentication Logs and filter by the test user. Look for challenge entries, approver identity, and session details.
• Audit Logs — Navigate to Logs → Audit Logs and look for an entry with type ASSISTED_LOGIN.

---

Wildcard CN Matching

Wildcard CN matching enables dynamic team-based approver pairing without maintaining explicit mappings. This is useful in organizations with many teams that follow consistent group naming conventions.

How It Works

1. Enable Groups matching part in CN in the profile’s General tab.
2. Configure User Groups and Approver Groups using regex patterns (e.g., .*keyword.*).
3. During authentication, the server extracts the keyword from the group CN and checks if both the user and the approver share a group with the same keyword.

Example

A company with regional teams configures:

User Groups	Approver Groups
.*NorthRegion-Users.*	.*NorthRegion-Approvers.*
.*SouthRegion-Users.*	.*SouthRegion-Approvers.*

A user in CN=NorthRegion-Users,OU=Groups,DC=example,DC=com can only be approved by someone in CN=NorthRegion-Approvers,OU=Groups,DC=example,DC=com. The keyword NorthRegion links them automatically.

Caution

Wildcard CN matching is only available for Normal Profiles in Active Directory environments. Groups must follow a consistent naming convention.

---

Federation-Specific Configuration

Federation profiles differ from normal profiles in several ways:

Feature	Normal Profile	Federation Profile
Approver selection	User enters one approver	System finds all valid approvers
Notification delivery	Single push or SMS	Push to all approvers simultaneously
Response handling	Single approver decides	First responder wins
Challenge questions	Supported	Not available
User matching	Groups + Identities	Identities only (UPN, domain, regex)
Timeouts	Configurable	Not configurable
Wildcard CN	Supported	Not available

Multi-Approver Push

With federation profiles, the server:

1. Finds all valid approvers from the profile’s approver groups and identities
2. Validates phone numbers for all discovered approvers
3. Sends Mideye+ push notifications to all approvers simultaneously
4. The first approver to respond determines the outcome
5. An approver cache prioritizes approvers who have responded previously

---

Troubleshooting

Issue	Possible Cause	Resolution
Approver not found	Approver ID attribute doesn’t match directory	Verify the LDAP attributes in the Approver tab match your directory’s attribute names
Magic Link sent instead of push	Approver hasn’t activated Mideye+	Have the approver activate the Mideye+ app
Federation delivery failure	Approver’s Mideye+ app not active	The approver must have Mideye+ open and connected
Missing phone number error	Approver has no mobile attribute in directory	Add a mobile phone number to the approver’s directory record
Profile save rejected — “root” blocked	Identity list contains root	Remove root — it is blocked for security
Profile save rejected — challenge page limit	More than one challenge page	Only one challenge page per profile is supported
User not matched to any profile	Not in any configured group or identity	Check directory group membership against the profile’s user lists
Approver validation fails after group change	Directory cache delay	Wait for directory sync, or retry the authentication

---

Related Pages

• Assisted Login Concepts — How the approval workflow works
• Assisted Login Profiles — Field-level reference for every UI element
• RADIUS Clients — Assign profiles and test authentication
• RADIUS Servers — Configure challenge messages
• LDAP Profiles — Directory configuration for user/approver lookup
• Entra ID Profiles — Azure AD / Entra ID directory configuration
• Magic Link Endpoints — Magic Link fallback configuration
• Password Reset Endpoints — Password reset workflows
• Authentication Logs — Review authentication events
• Audit Logs — Review audit trail for approvals