LDAP and Radius

[Christian Blich]

We are trying to upgrade our CAS from version 2.0 to 5.2 / 5.3 and have LDAP authentication up and running, and have Radius working as well, but CAS will first ask for username and password to login into the LDAP, then ask for the same password to call Radius, and then SMS code.The middle step we want to get rid of, So is it possible to make the login to the radius reuse username and password from LDAP?

In the end we want one of the following combinations:

1. LDAP authentication for username and password, then Radius OTP SMS password when the risk is at the certain level.

2. Radius authentication and then enrich the user login with info from LDAP, but don't looks like the Radius is receiving other information on the user other than username and password.

The reason is that we want to use SMS as a two factor validation in risk situations, when f.ex. some body given out they username and password in phissing attempts. But in general we want the LDAP to be the login validator. We already use a supplier with radius to handle our VPN login with multifactor, but for test purpose have made our own simpel radius server.

[李朝林]

hi Christian：

  We have been using ldap + CAS for a long time，Recently wanted to add two-factor authentication(LDAP + Raduis-mfa)

  But ldap authentication is ok,   redirecting to logging succuss page, without show radius token password page？

  Can u help checkout my configure? Thx

application.properties:

cas.authn.mfa.radius.server.nasPortId=-1
cas.authn.mfa.radius.server.nasRealPort=-1
cas.authn.mfa.radius.server.protocol=EAP_MSCHAPv2
cas.authn.mfa.radius.server.retries=3
cas.authn.mfa.radius.server.nasPortType=-1
cas.authn.mfa.radius.server.nasPort=-1
cas.authn.mfa.radius.server.nasIpAddress=
cas.authn.mfa.radius.server.nasIpv6Address=
cas.authn.mfa.radius.server.nasIdentifier=-1

cas.authn.mfa.radius.client.authenticationPort=1812
cas.authn.mfa.radius.client.sharedSecret=xxxxxx
cas.authn.mfa.radius.client.socketTimeout=0
cas.authn.mfa.radius.client.inetAddress=172.x.x.x
cas.authn.mfa.radius.client.accountingPort=1813

cas.authn.radius.failoverOnException=false
cas.authn.radius.failoverOnAuthenticationFailure=false

pom.xml

<dependency>
    <groupId>org.apereo.cas</groupId>
    <artifactId>cas-server-support-ldap</artifactId>
    <version>${cas.version}</version>
</dependency>
<dependency>
    <groupId>org.apereo.cas</groupId>
    <artifactId>cas-server-support-radius-mfa</artifactId>
    <version>5.3.0-RC4</version>
</dependency>

在 2018年7月19日星期四 UTC+8下午2:52:01，Christian Blich写道：

[Ray Bon]

You also have to set MFA for your service(s).

Ray

-- 

Ray Bon

Programmer Analyst

Development Services, University Systems

2507218831 | CLE 019 | rb...@uvic.ca

I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.

[李朝林]

Hi robin

   How to set  MFA for my service(s)?  set cas configuration or radius device? 

Thx!

   
在 2019年6月20日星期四 UTC+8下午11:21:16，rbon写道：

[Ray Bon]

See, https://apereo.github.io/cas/6.0.x/mfa/Configuring-Multifactor-Authentication.html#failure-mode-by-registered-service for an example.

If you use the service management application, there is a tab for MFA.

Ray

[李朝林]

Ray Thx very much, i encountered another problem, my system contain more addresses, configuration is as follow：

cas.authn.mfa.radius.client.inetAddress=127.0.0.1,127.0.0.2

the raduis server parse inetAddress error, hostname not found exception

在 2019年6月21日星期五 UTC+8下午11:22:37，rbon写道：

[Ray Bon]

Post some debug logs. Sometimes the problem is identified in another location.

Ray

[李朝林]

Hi debug log as follow, thx!

在 2019年7月18日星期四 UTC+8上午12:00:22，rbon写道：

[Ray Bon]

It looks like CAS is unable to connect/find those hosts.

Could it be that only one address is allowed for the radius client?

Remove one of the hosts and try again.

If there is still a problem, then it is most likely a network/firewall issue.

Ray

[李朝林]

cas.authn.mfa.radius.client.inetAddress=127.0.0.1 Test is OK

cas.authn.mfa.radius.client.inetAddress=127.0.0.2  Test is OK

cas.authn.mfa.radius.client.inetAddress=127.0.0.1,127.0.0.2  I encountered host or service name not found exception

at the same time i read cas source code, i can't found where to parse 'cas.authn.mfa.radius.client.inetAddress' to create multi radius servive to 

ensure failoverException, just regard '127.0.0.1,127.0.0.2' as one raduis service address (5.3.4-RC)

@RefreshScope
@Bean
public List<RadiusServer> radiusTokenServers() {
    final List<RadiusServer> list = new ArrayList<>();
    final RadiusClientProperties client = casProperties.getAuthn().getMfa().getRadius().getClient();
    final RadiusServerProperties server = casProperties.getAuthn().getMfa().getRadius().getServer();

    final RadiusClientFactory factory = new RadiusClientFactory(client.getAccountingPort(), client.getAuthenticationPort()
        , client.getSocketTimeout(), client.getInetAddress(), client.getSharedSecret());

    final RadiusProtocol protocol = RadiusProtocol.valueOf(server.getProtocol());
    final JRadiusServerImpl impl = new JRadiusServerImpl(protocol, factory, server.getRetries(),
            server.getNasIpAddress(), server.getNasIpv6Address(),
            server.getNasPort(), server.getNasPortId(), server.getNasIdentifier(), server.getNasRealPort());

    list.add(impl);
    return list;
}

在 2019年7月19日星期五 UTC+8上午12:04:55，rbon写道：

[Ray Bon]

It looks like multiple addresses are only for failover, which you have as false, https://apereo.github.io/cas/6.0.x/configuration/Configuration-Properties-Common.html#radius-configuration

Ray