enable risk-based Authentication

[wouldsmina]

Hello,

I'm trying to set up Risk-based Authentication (on CAS 6.5.9), but I can't figure out if it works or not (but I don't seem to). Following the documentation, I configure these modules in gradle :

          implementation "org.apereo.cas:cas-server-support-electrofence"
          implementation "org.apereo.cas:cas-server-support-trusted-mfa-redis"
          implementation "org.apereo.cas:cas-server-support-events-redis"
          implementation "org.apereo.cas:cas-server-support-geolocation"
          implementation "org.apereo.cas:cas-server-support-geolocation-maxmind"
          implementation "org.apereo.cas:cas-server-core-events"

And in case.properties :

cas.maxmind.country-database=/usr/share/GeoIP/GeoIP.dat

cas.authn.adaptive.policy.require-timed-multifactor[0].provider-id=mfa-yubikey

cas.authn.mfa.trusted.crypto.encryption.key=...
cas.authn.mfa.trusted.crypto.signing.key=...
cas.authn.mfa.trusted.device-fingerprint.cookie.crypto.encryption.key=...
cas.authn.mfa.trusted.device-fingerprint.cookie.crypto.signing.key=...
cas.authn.mfa.trusted.redis.host=localhost
cas.authn.mfa.trusted.redis.port=6379
cas.authn.mfa.trusted.redis.database=0
cas.authn.mfa.trusted.redis.enabled=true
cas.events.redis.host=localhost
cas.events.redis.enabled=true
cas.events.redis.database=0

I connected from different IP and browser, without result. I also tried to force the mfa at certain times:

cas.authn.adaptive.policy.require-timed-multifactor[0].on-or-after-hour=20
cas.authn.adaptive.policy.require-timed-multifactor[0].on-or-before-hour=7

always the same.

Logs :

[2023-02-13 22:08:00] [info] =============================================================
[2023-02-13 22:08:00] [info] WHO: audit:unknown
[2023-02-13 22:08:00] [info] WHAT: {source=RankedMultifactorAuthenticationProviderWebflowEventResolver, event=success, timestamp=Mon Feb 13 22:08:00 CET 2023}
[2023-02-13 22:08:00] [info] ACTION: AUTHENTICATION_EVENT_TRIGGERED
[2023-02-13 22:08:00] [info] APPLICATION: CAS
[2023-02-13 22:08:00] [info] WHEN: Mon Feb 13 22:08:00 CET 2023
[2023-02-13 22:08:00] [info] CLIENT IP ADDRESS: ....
[2023-02-13 22:08:00] [info] SERVER IP ADDRESS: ....
[2023-02-13 22:08:00] [info] =============================================================

...

[2023-02-13 22:08:05] [info] #033[32m2023-02-13 22:08:05,636 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
[2023-02-13 22:08:05] [info] =============================================================
[2023-02-13 22:08:05] [info] WHO: usertest
[2023-02-13 22:08:05] [info] WHAT: [RememberMeUsernamePasswordCredential(super=UsernamePasswordCredential(username=usertest, source=null, customFields={}), rememberMe=false)]
[2023-02-13 22:08:05] [info] ACTION: AUTHENTICATION_SUCCESS
[2023-02-13 22:08:05] [info] APPLICATION: CAS
[2023-02-13 22:08:05] [info] WHEN: Mon Feb 13 22:08:05 CET 2023
[2023-02-13 22:08:05] [info] CLIENT IP ADDRESS: ....
[2023-02-13 22:08:05] [info] SERVER IP ADDRESS: ....
[2023-02-13 22:08:05] [info] =============================================================
[2023-02-13 22:08:05] [info] >#033[m
[2023-02-13 22:08:05] [info] #033[32m2023-02-13 22:08:05,712 INFO [org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit trail record BEGIN
[2023-02-13 22:08:05] [info] =============================================================
[2023-02-13 22:08:05] [info] WHO: usertest
[2023-02-13 22:08:05] [info] WHAT: TGT-1-*****VbkzpcWGqI-cas
[2023-02-13 22:08:05] [info] ACTION: TICKET_GRANTING_TICKET_CREATED
[2023-02-13 22:08:05] [info] APPLICATION: CAS
[2023-02-13 22:08:05] [info] WHEN: Mon Feb 13 22:08:05 CET 2023
[2023-02-13 22:08:05] [info] CLIENT IP ADDRESS: ....
[2023-02-13 22:08:05] [info] SERVER IP ADDRESS: ....
[2023-02-13 22:08:05] [info] =============================================================

Can someone tell me if I forgot something?

Regards,

[wouldsmina]

Hello,

In addition, here is the documentation I used: https://apereo.github.io/cas/6.5.x/authentication/Configuring-RiskBased-Authentication.html

Is there more complete documentation?

Sorry if my request is unclear, I'm not very good at English.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/80949868-dd80-4213-a0bb-9c9cebd02bc5n%40apereo.org.

[David Malia]

https://apereo.github.io/cas/6.5.x/authentication/Configuring-Authentication-Events.html

I don't see a 'redis' option for storing the CAS Events.  You might try a storage mechanism listed there.

Thanks,

David Malia

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH2NqNaG57CPqbjCTu_hyV%2BkWDTQwZuNe0L4y4esHYg5%2BVHHQQ%40mail.gmail.com.

[wouldsmina]

I set "implementation "org.apereo.cas:cas-server-support-events-redis"" and :

cas.events.redis.host=localhost
cas.events.redis.enabled=true
cas.events.redis.database=0

did i forget another option ?

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAL3JkE%2BYS42qpx3GKtQ-Q1JeE06hEqF_1_zWvW%2BV04shRTmRVQ%40mail.gmail.com.

[David Malia]

Weird, when I looked at it yesterday, I didn't see redis, though I see it now.

You might try setting all 12 of the required parameters.  7 of them don't have default values.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH2NqNZSrDvJjQRV210YgBaR%3DvXBG3%2BwV6tDMs81QJADb04%3Duw%40mail.gmail.com.

[wouldsmina]

I thought some settings were only needed if I had a redis cluster. However, I have events that are stored in redis.

I will try to use influxdb storage (more simple).

Thank you.

You received this message because you are subscribed to a topic in the Google Groups "CAS Community" group.
To unsubscribe from this topic, visit https://groups.google.com/a/apereo.org/d/topic/cas-user/9c023dq7rVU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAL3JkELjbWAB3WaU-h7ACfcvTHZYjLX7gR1aU2A_1-y%2B1J7zMg%40mail.gmail.com.

[wouldsmina]

Hi David,

I replaced redis with influxdb for the events, but the problem remains the same.

I note that information is missing in the event data: no geolocation, browser user agent or result.

 I have reviewed all the documentation about this and I believe I have set all the required options. If you have other leads, I'm all the same taker.

Regards.

[David Malia]

Have you enabled one at least one of the things to check?  GeoLocation data would be null until it is enabled.  Also, private IPs wouldn't have a geolocation to lookup.

User-Agent depends on whether or not the client doing the sign in sets the user-agent header during the request.  We are doing some evaluation of this feature ourselves.

I have the following properties set.  They may or may not be what you want to set.  

cas.events.enabled=true

cas.events.core.track-geolocation=true

cas.authn.adaptive.risk.threshold=.6
cas.authn.adaptive.risk.daysInRecentHistory=30
cas.authn.adaptive.risk.ip.enabled=true
cas.authn.adaptive.risk.agent.enabled=true
cas.authn.adaptive.risk.geoLocation.enabled=true
cas.authn.adaptive.risk.dateTime.enabled=true
# cas.authn.adaptive.risk.dateTime.windowInHours=2
cas.authn.adaptive.risk.response.blockAttempt=true

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAH2NqNYzFfVofFyAQCHuDUOkxRv46Tb6zNM3z1%3D78iu3XtUBvQ%40mail.gmail.com.

[wouldsmina]

I go through public IPs, I replaced the IPs to remain confidential. I had already configured these:

cas.events.core.enabled=true

cas.events.core.track-geolocation=true

I couldn't find any documentation for cas.authn.adaptive.risk. I added them, but it doesn't change anything.

I fear having to resign myself to abandoning this project, yet it would have been very useful.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAL3JkE%2BVZ2vmyQuRtmzmc8DxYYqMqtnjPN%3DDmU%3D-pn413cbYvA%40mail.gmail.com.

[Ray Bon]

You may be able to find some info on https://fawnoos.com/blog/

Ray

On Tue, 2023-02-28 at 11:25 +0100, wouldsmina wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

I go through public IPs, I replaced the IPs to remain confidential. I had already configured these:

cas.events.core.enabled=true

cas.events.core.track-geolocation=true

I couldn't find any documentation for cas.authn.adaptive.risk. I added them, but it doesn't change anything.

I fear having to resign myself to abandoning this project, yet it would have been very useful.

Le lun. 27 févr. 2023 à 18:31, David Malia <dma...@gmail.com> a écrit :

Have you enabled one at least one of the things to check?  GeoLocation data would be null until it is enabled.  Also, private IPs wouldn't have a geolocation to lookup.

User-Agent depends on whether or not the client doing the sign in sets the user-agent header during the request.  We are doing some evaluation of this feature ourselves.

I have the following properties set.  They may or may not be what you want to set.  

cas.events.enabled=true

cas.events.core.track-geolocation=true

cas.authn.adaptive.risk.threshold=.6
cas.authn.adaptive.risk.daysInRecentHistory=30
cas.authn.adaptive.risk.ip.enabled=true
cas.authn.adaptive.risk.agent.enabled=true
cas.authn.adaptive.risk.geoLocation.enabled=true
cas.authn.adaptive.risk.dateTime.enabled=true
# cas.authn.adaptive.risk.dateTime.windowInHours=2
cas.authn.adaptive.risk.response.blockAttempt=true

On Mon, Feb 27, 2023 at 9:11 AM wouldsmina <would...@gmail.com> wrote:

Hi David,

I replaced redis with influxdb for the events, but the problem remains the same.

I note that information is missing in the event data: no geolocation, browser user agent or result.

 I have reviewed all the documentation about this and I believe I have set all the required options.If you have other leads, I'm all the same taker.

Regards.

Hello,

I'm trying to set up Risk-based Authentication (on CAS 6.5.9), but I can't figure out if it works or not (but I don't seem to).Following the documentation, I configure these modules in gradle :

          implementation "org.apereo.cas:cas-server-support-electrofence"
          implementation "org.apereo.cas:cas-server-support-trusted-mfa-redis"
          implementation "org.apereo.cas:cas-server-support-events-redis"
          implementation "org.apereo.cas:cas-server-support-geolocation"
          implementation "org.apereo.cas:cas-server-support-geolocation-maxmind"
          implementation "org.apereo.cas:cas-server-core-events"

And in case.properties :

cas.maxmind.country-database=/usr/share/GeoIP/GeoIP.dat

cas.authn.adaptive.policy.require-timed-multifactor[0].provider-id=mfa-yubikey

cas.authn.mfa.trusted.crypto.encryption.key=...
cas.authn.mfa.trusted.crypto.signing.key=...
cas.authn.mfa.trusted.device-fingerprint.cookie.crypto.encryption.key=...
cas.authn.mfa.trusted.device-fingerprint.cookie.crypto.signing.key=...
cas.authn.mfa.trusted.redis.host=localhost
cas.authn.mfa.trusted.redis.port=6379
cas.authn.mfa.trusted.redis.database=0
cas.authn.mfa.trusted.redis.enabled=true
cas.events.redis.host=localhost
cas.events.redis.enabled=true
cas.events.redis.database=0

I connected from different IP and browser, without result.I also tried to force the mfa at certain times:

[wouldsmina]

I know this blog well and it has helped me many times. Unfortunately, there is nothing about risk-based authentication and geolocation is only for version 5.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/7a0c65856f4e15475a5bafa7ea1c0df76f06eb06.camel%40uvic.ca.