CAS and MFA using RADIUS provider

[Henrik Larsen]

Hi,

We have used CAS for about 10 years with LdapAuthenticationHandler against Active Directory. All good.

At the moment we are working to configure MFA on CAS. Our company (is a educational institution) is using SMS Passcode from censornet.com to implement MFA.

We have succeeded to configure CAS MFA using RadiusAuthenticationHandler and multifactor provider mfs-radius (no LDAP used). SMS Passcode supports RADIUS.

Everthing is good for "clean" LdapAuthenticationHandler (no MFA) and "clean" RadiusAuthenticationHandler (MFA) setup.

Then working with bypass - "step up" or "step down" - it becomes tricky.

When bypassing MFA provider mfa-radius with RadiusAuthenticationHandler the CAS page/web flow do the bypass. But because authentication is done against RADIUS it also trickers a challenges and the user gets a not needed SMS.

Then we tried to use LdapAuthenticationHandler and RadiusAuthenticationHandler together. With a Groovy sctript we tried "step up" from LdapAuthenticationHandler to RadiusAuthenticationHandler with mfa-radius provider. The user is then authenticated against LDAP. After that the CAS page/web flow show the page for one time password but expects the users password a second time. Then CAS actually authenticate against RADIUS. The user get an SMS but is already authenticated and page/web flow is completed.

We have tried a variation of MFA "step up" and "step down" by using service definitions and groovy scripts.

Some how it seems more simple to have a kind of a split configuration where CAS uses "clean" LDAP configuration for non MFA and on the other hand use a "clean" RADIUS configuration with mfa-radius provider when MFA is needed.

Is something like this possible. Any ideas?

Version is cas-overlay-template 5.3.9

Regards Henrik