Radius -MFA in cas 6.6.8
106 views
Skip to first unread message
Vikash Chandra Ansh
Aug 8, 2023, 7:50:36 AM8/8/23
to CAS Community
Hi Everyone,
We are trying to implement radius MFA in CAS. In our case our primary authentication will be LDAP and then for MFA we need RSA.
I have also added dependency as cas-server-support-radius-mfa.
I have added the required properties like client.inet-address and shared-secert.
But still I can not see any hit on the radius server.
Can anyone please help here.
Cas version I am using is 6.6.8.
Thanks and regards
Vikash Chandra
Ray Bon
Aug 9, 2023, 12:59:53 PM8/9/23
to cas-...@apereo.org
Vikash,
Is it possible there is a network issue?
Ray
On Tue, 2023-08-08 at 17:20 +0530, Vikash Chandra Ansh wrote:
Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.
Vikash Chandra Ansh
Aug 10, 2023, 4:58:14 AM8/10/23
to CAS Community
Hi Ray,
We have NW change in place. There is UDP connectivity from my cas server to radius server(unidirectional ) on port 1812 and 1813 .
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ebab25780f77a0697d2191e2fc4e466d00d59f56.camel%40uvic.ca.
Vikash Chandra Ansh
Aug 17, 2023, 6:17:03 AM8/17/23
to CAS Community
Hi Ray,
Could you please suggest what all properties need to be enabled to use Radius as 2FA. My primary authentication will be LDAP
Thanks and Regards
Vikash Chandra
Ray Bon
Aug 17, 2023, 1:54:43 PM8/17/23
to cas-...@apereo.org
Vikash,
I have these ldap properties for cas authentication:
cas.authn.ldap[0].type=
cas.authn.ldap[0].ldapUrl=
cas.authn.ldap[0].connectTimeout=
cas.authn.ldap[0].baseDn=
cas.authn.ldap[0].subtreeSearch=
cas.authn.ldap[0].searchFilter=
cas.authn.ldap[0].bindDn=cn=
cas.authn.ldap[0].bindCredential=
I have not used Radius, so unfamiliar with it config. https://apereo.github.io/cas/6.6.x/mfa/RADIUS-Authentication.html
Ray
Vikash Chandra Ansh
Aug 17, 2023, 2:57:38 PM8/17/23
to CAS Community
Thanks Ray
My LDAP authentication is working fine . On top of it I want Radius as 2FA, where I am struggling.
Anybody please help here
Thanks and regards
Vikash Chandra
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/42932cfeeb2c1bfac9ca42c058f6017b46ab6196.camel%40uvic.ca.
Petr Bodnár
Aug 18, 2023, 3:12:46 AM8/18/23
to CAS Community, vikasha...@gmail.com
Vikash,
as you haven't provided much details (e.g. what you actually see in the CAS UI and in CAS logs), I can only guess that maybe, you just only haven't activated the Radius MFA provider for example via the "cas.authn.mfa.triggers.global.global-provider-id" property - see https://apereo.github.io/cas/6.6.x/mfa/Configuring-Multifactor-Authentication-Triggers-Global.html as one of the available MFA triggers.
Petr
Vikash Chandra Ansh
Aug 21, 2023, 10:50:00 AM8/21/23
to Petr Bodnár, Ray Bon, CAS Community
Hi Peter and Ray,
Thanks for your input. I have added the global trigger and set the value as mfa-radius.
Now I am getting type mismatch error.
Please find the logs below:-
Ignoring the received exception (org.springframework.web.util.NestedServletException:
Handler dispatch falled; nested exception is java.lang.NoClassDeffoundError: org/bouncycastle/asn1/DEROjectidentifier) due to type mismatch with handler [[
FlowHandlerMapping.DefaultFlowHandler@3b873134]]>
3823-03-31 13:40:47,365 ERROR [org.springframework.boot.web.servlet.support.ErrorPaegfilter] Forwarding to error page free request [/login) due to exception [org/bouncycastle/asn1/DERObjectIdentifier
Thanks and regards
Vikash
Vikash Chandra Ansh
Aug 22, 2023, 4:48:53 AM8/22/23
to Petr Bodnár, Ray Bon, CAS Community
Hi All ,
One more.observation is that, I am getting authentication success and few multifactor authentication bypass logs in server. However I haven't added any bypass mechanism
Please someone help here.
Thanks & Regards
Vikash Chandra
Vikash Chandra Ansh
Aug 24, 2023, 10:23:34 AM8/24/23
to Petr Bodnár, Ray Bon, CAS Community
Hi All,
Please help here . Still the issue is not resolved yet
Vikash Chandra Ansh
Aug 24, 2023, 10:37:57 AM8/24/23
to Petr Bodnár, CAS Community, Ray Bon
Thanks, I'll check it out.
On Thu, Aug 24, 2023, 8:00 PM Petr Bodnár <p.bo...@centrum.cz> wrote:
Hi Vikash,a) regarding the NoClassDefFoundError , can you please try to add the following dependency to your Gradle (or do you use Maven?) project configuration and see if its helps?That's the library that should contain the missing DERObjectIdentifier class. According to the contents of https://github.com/apereo/cas/blob/v6.6.8/support/cas-server-support-radius-mfa/build.gradle, it seems this library is added to the project, but only conditionally, so maybe that's the reason this information doesn't seem to get projected to the final artifact, i.e. you won't find the bcprov library listed e.g. on https://mvnrepository.com/artifact/org.apereo.cas/cas-server-support-radius-mfa/6.6.10.b) Regarding the bypasses, I have no clue. I can only recommend checking the logs (with possibly increasing log level to DEBUG) and diff the configuration files against the CAS overlay template...Petr
Petr Bodnár
Aug 24, 2023, 10:40:34 AM8/24/23
to CAS Community, vikasha...@gmail.com, CAS Community, Petr Bodnár, Ray Bon
Hi Vikash,
a) regarding the
NoClassDefFoundError
, can you please try to add the following dependency to your Gradle (or do you use Maven?) project configuration and see if its helps?
That's the library that should contain the missing DERObjectIdentifier class. According to the contents of https://github.com/apereo/cas/blob/v6.6.8/support/cas-server-support-radius-mfa/build.gradle, it seems this library is added to the project, but only conditionally, so maybe that's the reason this information doesn't seem to get projected to the final artifact, i.e. you won't find the bcprov library listed e.g. on https://mvnrepository.com/artifact/org.apereo.cas/cas-server-support-radius-mfa/6.6.10.
b) Regarding the bypasses, I have no clue. I can only recommend checking the logs (with possibly increasing log level to DEBUG) and diff the configuration files against the CAS overlay template...
Petr
On Tuesday, 22 August 2023 at 10:48:53 UTC+2 vikasha...@gmail.com wrote:
Vikash Chandra Ansh
Aug 29, 2023, 5:20:59 AM8/29/23
to CAS Community, Ray Bon
Hi All,
I have digged down the flow for Radius token MFA.
It is referring to a class RadiusMultifactorProvider where canPing() method is called. Which further calls the RadiusServer.java where authenticate method(CasRadiusResponse) is called. This method is now validating username and password against the radius server. Due to this reason only I am getting null flow execution.
Can someone suggest why this is happening as my authentication has already been successful via LDAP authentication handler. It should now go to radius token page for token check and validation.
Hi Misagh, please suggest if my understanding is valid or not
I just want the flow where authentication is done by LDAP and 2FA with Radius. Please help here
Thanks and regards
Vikash Chandra
Vikash Chandra Ansh
Aug 29, 2023, 3:58:23 PM8/29/23
to Petr Bodnár, CAS Community
Thanks for the clarification Peter.
So you are saying that the username and password in canPing method radius server's inet address and shared secret respectively.
On Wed, Aug 30, 2023, 1:15 AM Petr Bodnár <p.bo...@centrum.cz> wrote:
Hi Vikash,I'm a bit confused now - because what you describe about pinging a Radius server seems to be just fine: you can see in the source code of RadiusMultifactorAuthenticationProvider (here) that the pinging method does send a testing username and password (i.e. not the ones from the login form) and it only fails when one of TimeoutException or SocketTimeoutException is thrown from all the setup Radius servers.So maybe your Radius server (host and/or port) is just not accessible from your CAS server? You hint above that you are using the default "cas.authn.mfa.radius.client.transport-type=UDP" and you have the appropriate UDP ports open - can you confirm this e.g. by using one of the tools listed at https://www.baeldung.com/linux/udp-port-testing?BTW I take your message as a confirmation that adding the bcprov library to your CAS instance explicitly did help and you are solving another problem within the flow now. Feel free to correct me.RegardsPetr
Petr Bodnár
Aug 29, 2023, 10:56:33 PM8/29/23
to CAS Community, vikasha...@gmail.com, CAS Community
Not quite like that. From the linked source code (I haven't checked it live), its looks like "RadiusMultifactorAuthenticationProvider" (name of the class) is sent as both, username and password via the canPing method.
Petr Bodnár
Aug 29, 2023, 10:56:33 PM8/29/23
to CAS Community, vikasha...@gmail.com, Ray Bon
Hi Vikash,
I'm a bit confused now - because what you describe about pinging a Radius server seems to be just fine: you can see in the source code of RadiusMultifactorAuthenticationProvider (here) that the pinging method does send a testing username and password (i.e. not the ones from the login form) and it only fails when one of TimeoutException or SocketTimeoutException is thrown from all the setup Radius servers.
So maybe your Radius server
(host and/or port) is just not accessible from your CAS server? You hint above that you are using the default "cas.authn.mfa.radius.client.transport-type=UDP" and you have the appropriate UDP ports open - can you confirm this e.g. by using one of the tools listed at https://www.baeldung.com/linux/udp-port-testing?
BTW I take your message as a confirmation that adding the bcprov library to your CAS instance explicitly did help and you are solving another problem within the flow now. Feel free to correct me.
Regards
Petr
On Tuesday, 29 August 2023 at 11:20:59 UTC+2 vikasha...@gmail.com wrote:
Vikash Chandra Ansh
Sep 7, 2023, 12:48:19 AM9/7/23
to Petr Bodnár, CAS Community
Hi All,
I have checked everything from my end. But still no luck.
Misagh could.you please share your thoughts. It will be quite helpful
Thanks and regards
Vikash Chandra
On Wed, Aug 30, 2023, 2:37 AM Vikash Chandra Ansh <vikasha...@gmail.com> wrote:
It's Network teamOn Wed, Aug 30, 2023, 2:03 AM <p.bo...@centrum.cz> wrote:Hi there,
what does "NW" stand for?
According to https://serverfault.com/questions/35218/in-windows-using-the-command-line-how-do-you-check-if-a-remote-port-is-open, they recommend either to use Portqry (download from https://www.microsoft.com/en-us/download/details.aspx?id=17148&6B49FDFB-8E5B-4B07-BC31-15695C5A2143=1, or there is also an UI version) or "a port of netcat" (download probably from https://eternallybored.org/misc/netcat/ and notice the remark about antiviruses...). I would probably go with the Portqry.
I don't use these tools myself (commonly testing just TCP connections), so thanks in advance to let me know about the results... :)
Petr
______________________________________________________________
> Od: "Vikash Chandra Ansh" <vikasha...@gmail.com>
> Komu: "Petr Bodnár" <p.bo...@centrum.cz>
> Datum: 29.08.2023 22:05
> Předmět: Re: [cas-user] Radius -MFA in cas 6.6.8
>Hi Peter,Yes transport type is UPD in our case. But however I was not able to test UDP ports on my Windows machine. I have asked my NW team, and they have confirmed that 1812 and 1813 has been enabled at destination end for my machine.Is there any way to test in windows machine
Vikash Chandra Ansh
Sep 13, 2023, 5:15:15 AM9/13/23
to Petr Bodnár, CAS Community
Hi All,
I am able to connect RSA and get myself authenticated. The issue was with bouncycastle jar. I have added the dependency explicitly and removed the old version manually to resolve the issue.
Hi Peter
Could you suggest how we can add multiple inet address for RSA .
Like how the property needs to be configured
Thanks and regards
Vikash Chandra
p.bo...@centrum.cz
Sep 13, 2023, 6:36:37 AM9/13/23
to cas-...@apereo.org
Hi Vikash,
congrats to making it finally work.
Regarding what you write about the bouncycastle.jar, this is an interesting "plot twist", because I wouldn't expect this library would relate to the connection issues you've reported lastly. Also, as I described before, I wouldn't even expect any bouncycastle.jar (bcprov.jar) be present in the cas.war, unless explicitly specified. But yeah, one always doesn't hit the target... ;)
> Could you suggest how we can add multiple inet address for RSA (edit: you surely mean RADIUS here).
>
> Like how the property needs to be configured
This doesn't seem to be currently possible - you can define just one address for RADIUS. If you need multiple addresses, you would have to override the bean method public BeanContainer<RadiusServer> radiusTokenServers from the RadiusTokenAuthenticationEventExecutionPlanConfiguration class - in its source code, you can see, based on the documented CAS / RADIUS properties, it creates (logically) just one RadiusServer instance and puts it to the resulting list.
Regards
Petr
______________________________________________________________
> Od: "Vikash Chandra Ansh" <vikasha...@gmail.com>
> Komu: "Petr Bodnár" <p.bo...@centrum.cz>, "CAS Community" <cas-...@apereo.org>
> Datum: 13.09.2023 11:16
To unsubscribe from this topic, visit https://groups.google.com/a/apereo.org/d/topic/cas-user/YfgtoCi4Erk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BdrvxgJ5h5KY0KE%2BwQ0%2BrnTwSY3M06wAGtUPPu4tnp0%2BkA5GA%40mail.gmail.com.
Vikash Chandra Ansh
Sep 13, 2023, 8:59:14 AM9/13/23
to CAS Community
Thanks Peter
I will check this out
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/20230913121336.FF0CC15C%40centrum.cz.
Reply all
Reply to author
Forward
0 new messages