Radius Authentication seems not work if MFA is not enabled on CAS 6.1.x, is that intended?

[Andy Ng]

Hi all,

In my quest to test out some CAS authentication, I stumble across Radius Authentication: https://apereo.github.io/cas/6.1.x/mfa/RADIUS-Authentication.html and want to try it out. I am using CAS 6.1.x

I used freeradius docker varience (https://hub.docker.com/r/freeradius/freeradius-server), and setup a very simple testing config with a single user (i.e. bob), 

/etc/raddb/mods-config/files/authorize

bob    Cleartext-Password := "hello"

/etc/raddb/clients.conf

client dockernet {

    ipaddr = 0.0.0.0/0

    secret = testing123

}

and configure CAS using:

cas.yml

cas.authn.radius:
  client.sharedSecret: testing123

  client.inetAddress: my.radius.server

build.gradle dependency:

compile "org.apereo.cas:cas-server-support-radius:${project.'cas.version'}"

But was greeted with the following error:

Error Log

2019-11-06 04:15:20,417 INFO [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - <Authenticated principal [bob] with attributes [{EAP-Message=[[Binary Data (length=22)]], Message-Authenticator=[[Binary Data (length=16)]], State=[[Binary Data (length=16)]]}] via credentials [[UsernamePasswordCredential(username=bob, source=null, customFields={})]].>

2019-11-06 04:15:20,423 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN

=============================================================

WHO: bob

WHAT: Supplied credentials: [UsernamePasswordCredential(username=bob, source=null, customFields={})]

ACTION: AUTHENTICATION_SUCCESS

APPLICATION: CAS

WHEN: Wed Nov 06 04:15:20 GMT 2019

CLIENT IP ADDRESS: 172.20.0.1

SERVER IP ADDRESS: 172.20.0.5

=============================================================

>

2019-11-06 04:15:20,434 ERROR [org.apereo.cas.adaptors.radius.web.flow.RadiusAccessChallengedMultifactorAuthenticationTrigger] - <No multifactor authentication providers are available in the application context>

2019-11-06 04:15:20,434 WARN [org.apereo.cas.web.flow.resolver.impl.DefaultCasDelegatingWebflowEventResolver] - <1 errors, 0 successes>

org.apereo.cas.authentication.AuthenticationException: 1 errors, 0 successes

Despite the Authentication success shown above, I was greeted with error related to MFA.

My question is follows:

- Is there any misconfiguration from me above? Seems unlikely since I did correctly see  AUTHENTICATION_SUCCESS and didn't setup MFA.

- If my config is OK, is this true that Radius Authentication needs MFA in order to work? Is that intended behavior?

- If no, then would need to look into why Radius Authentication is linked together with MFA inseparably. 

Thanks!

Cheers!

- Andy

[Colin Ryan]

I ran across this too. I had to add the gradle linkage for simple MFA to get around this.

compile "org.apereo.cas:cas-server-support-simple-mfa:${project.'cas.version'}"

Not sure why, but I did.

colin

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/da53899e-448f-44a8-a79a-9cb95bcffdcb%40apereo.org.

[Andy Ng]

Hi Colin

Thanks for the advice! It work after adding `cas:cas-server-support-simple-mfa`.

Pretty sure that is a bug lol, see if I can trace it down when free, thanks again.

Cheers!

- Andy

[irvan suryadi]

Hello sir,

About your problems, i think this time i have the same problem like this one.
And I need some help to resolve this problem.

May I get your cas.properties configuration specially about the "cas.authn.radius" authentication?

Thanks sir,

Irvan