DEV-531 (#63)

### Release 04.08.2025 | Acct-Authentic attribute support for winlogon
#### New
- Added Acct-Authentic attribute support. If the RADIUS packet contains the Acct-Authentic attribute without a domain value, the adapter will skip loading the profile and checking groups membership. If there is no attribute in the packet, the adapter operates in normal mode.
The adapter interprets the attribute values as follows:
```
1 - Domain
2 - Local
3 - Microsoft
```

Author: Tu-S

MultiFactor.Radius.Adapter/Core/IRadiusPacket.cs

@@ -66,5 +66,6 @@ IDictionary<string, List<object>> Attributes
         }
 
         string CreateUniqueKey(IPEndPoint remoteEndpoint);
+        AccountType AccountType { get; }
     }
 }

MultiFactor.Radius.Adapter/Core/RadiusPacket.cs

@@ -117,6 +117,15 @@ public string RemoteHostName
         public string NasIdentifier => GetString("NAS-Identifier");
         public string State => GetString("State");
 
+        public AccountType AccountType
+        {
+            get
+            {
+                var attrValue = AcctAuthentic ?? 0;
+                return UintToAccountType(attrValue);
+            }
+        }
+        
         public string TryGetUserPassword()
         {
             var password = UserPassword;
@@ -285,5 +294,41 @@ public object Clone()
 
             return packet;
         }
+        
+        private uint? AcctAuthentic
+        {
+            get
+            {
+                if (Attributes.TryGetValue("Acct-Authentic", out var values))
+                {
+                    return values.FirstOrDefault() as uint?;
+                }
+
+                return null;
+            }
+        }
+
+        private static AccountType UintToAccountType(uint value)
+        {
+            switch (value)
+            {
+                case 1:
+                    return AccountType.Domain;
+                case 2:
+                    return AccountType.Local;
+                case 3:
+                    return AccountType.Microsoft;
+                default:
+                    return AccountType.Domain;
+            }
+        }
+    }
+    
+    public enum AccountType
+    {
+        Unknown = 0,
+        Domain = 1,
+        Local = 2,
+        Microsoft = 3
     }
 }

MultiFactor.Radius.Adapter/Server/FirstAuthFactorProcessing/AnonymousProcessor.cs

@@ -37,29 +37,39 @@ public AnonymousProcessor(ActiveDirectoryMembershipVerifier membershipVerifier,
 
         public Task<PacketCode> ProcessFirstAuthFactorAsync(PendingRequest request)
         {
-            if (request.Configuration.CheckMembership)
+            if (request.RequestPacket.AccountType != AccountType.Domain)
             {
-                // check membership without AD authentication
-                var result = _membershipVerifier.VerifyMembership(request);
-                var handler = new MembershipVerificationResultHandler(result);
-
-                handler.EnrichRequest(request);
-                return Task.FromResult(handler.GetDecision());
+                _logger.Information("User '{user}' used '{accountType}' account to log in. Membership check is skipped.", request.UserName, request.RequestPacket.AccountType);
             }
-
-            if (request.Configuration.UseIdentityAttribute)
+            else
             {
-                var attrs = LoadRequiredAttributes(request, request.Configuration.TwoFAIdentityAttribyte);
-                if (!attrs.ContainsKey(request.Configuration.TwoFAIdentityAttribyte))
+                if (request.Configuration.CheckMembership)
                 {
-                    _logger.Warning("Attribute '{TwoFAIdentityAttribyte}' was not loaded", request.Configuration.TwoFAIdentityAttribyte);
-                    return Task.FromResult(PacketCode.AccessReject);
+                    // check membership without AD authentication
+                    var result = _membershipVerifier.VerifyMembership(request);
+                    var handler = new MembershipVerificationResultHandler(result);
+
+                    handler.EnrichRequest(request);
+                    return Task.FromResult(handler.GetDecision());
                 }
 
-                var existedAttributes = new LdapAttributes(request.Profile.LdapAttrs);
-                existedAttributes.Replace(request.Configuration.TwoFAIdentityAttribyte, new[] { attrs[request.Configuration.TwoFAIdentityAttribyte].FirstOrDefault() });
-                request.Profile.UpdateAttributes(existedAttributes);
+                if (request.Configuration.UseIdentityAttribute)
+                {
+                    var attrs = LoadRequiredAttributes(request, request.Configuration.TwoFAIdentityAttribyte);
+                    if (!attrs.ContainsKey(request.Configuration.TwoFAIdentityAttribyte))
+                    {
+                        _logger.Warning("Attribute '{TwoFAIdentityAttribyte}' was not loaded",
+                            request.Configuration.TwoFAIdentityAttribyte);
+                        return Task.FromResult(PacketCode.AccessReject);
+                    }
+
+                    var existedAttributes = new LdapAttributes(request.Profile.LdapAttrs);
+                    existedAttributes.Replace(request.Configuration.TwoFAIdentityAttribyte,
+                        new[] { attrs[request.Configuration.TwoFAIdentityAttribyte].FirstOrDefault() });
+                    request.Profile.UpdateAttributes(existedAttributes);
+                }
             }
+
             return Task.FromResult(PacketCode.AccessAccept);
         }
 

MultiFactor.Radius.Adapter/Server/FirstAuthFactorProcessing/RadiusFirstAuthFactorProcessor.cs

@@ -48,6 +48,12 @@ public async Task<PacketCode> ProcessFirstAuthFactorAsync(PendingRequest request
             {
                 return radiusResponse;
             }
+            
+            if (request.RequestPacket.AccountType != AccountType.Domain)
+            {
+                _logger.Information("User '{user}' used '{accountType}' account to log in. Membership check is skipped.", request.UserName, request.RequestPacket.AccountType);
+                return radiusResponse;
+            }
 
             if (request.Configuration.CheckMembership)
             {

MultiFactor.Radius.Adapter/Server/PendingRequest.cs

@@ -40,7 +40,7 @@ public class PendingRequest
         public string ReplyMessage { get; set; }
 
         public string UserName { get; private set; }
-        public IList<string> UserGroups { get; set; }
+        public IList<string> UserGroups { get; set; } = new List<string>();
 
         public bool MustChangePassword { get; private set; }
         public string MustChangePasswordDomain { get; private set; }
@@ -50,8 +50,21 @@ public class PendingRequest
         /// <summary>
         /// Should use for 2FA request to MFA API.
         /// </summary>
-        public string SecondFactorIdentity => Configuration.UseIdentityAttribute ? Profile.LdapAttrs.GetValue(Configuration.TwoFAIdentityAttribyte) : UserName;
-
+        public string SecondFactorIdentity
+        {
+            get
+            {
+                if (!Configuration.UseIdentityAttribute)
+                    return UserName;
+                var identity = Profile.LdapAttrs.GetValue(Configuration.TwoFAIdentityAttribyte);
+                var name = string.IsNullOrWhiteSpace(identity) && RequestPacket.AccountType != AccountType.Domain
+                    ? UserName
+                    : identity;
+                
+                return name;
+            }
+        }
+        
         public AuthenticationState AuthenticationState { get; private set; }
         public UserPassphrase Passphrase { get; private set; }
 

MultiFactor.Radius.Adapter/Services/ActiveDirectory/ActiveDirectoryService.cs

@@ -12,6 +12,7 @@
 using System.DirectoryServices.AccountManagement;
 using System.DirectoryServices.Protocols;
 using System.Linq;
+using MultiFactor.Radius.Adapter.Core;
 
 namespace MultiFactor.Radius.Adapter.Services.ActiveDirectory
 {
@@ -85,7 +86,12 @@ public bool VerifyCredentialAndMembership(PendingRequest request)
             try
             {
                 VerifyCredential(user, request);
-                return VerifyMembership(request.Configuration, user, request);
+
+                if (request.RequestPacket.AccountType == AccountType.Domain)
+                    return VerifyMembership(request.Configuration, user, request);
+                
+                _logger.Information("User '{user}' used '{accountType}' account to log in. Membership check is skipped.", request.UserName, request.RequestPacket.AccountType);
+                return true;
             }
             catch (LdapException lex)
             {