CAS 5.0.x and RADIUS MFA AccountName

[Tim McLaughlin]

Hello,

 

I am trying to set up RADIUS MFA.  Primary authentication (via LDAP) works fine, but while debugging the second-factor we're finding that the User-Name attribute in the Access-Request is "RadiusTokenAuthenticationHandler" instead of the logged-in username.

 

My config looks like this:

 

cas.authn.mfa.radius.failoverOnAuthenticationFailure=false

cas.authn.mfa.radius.failoverOnException=false

cas.authn.mfa.radius.client.socketTimeout=3

cas.authn.mfa.radius.client.sharedSecret=supersecret

cas.authn.mfa.radius.client.authenticationPort=1812

cas.authn.mfa.radius.client.accountingPort=1813

cas.authn.mfa.radius.client.inetAddress=x.x.x.x

cas.authn.mfa.radius.server.retries=3

cas.authn.mfa.radius.server.protocol=PAP

cas.authn.mfa.radius.server.nasIpAddress=x.x.x.x

 

 

We are pretty sure that the policies on the radius server are set up correctly, but don't know how to do anything with the user "RadiusTokenAuthenticationHandler".

 

Is there a way that we can turn on better logging (not sure which classes hold what we need) or can we somehow specify what attribute the MFA class should use for the AccountName?

 

Sorry this is kind of vague -- I'm hoping the above will help you help me formulate better questions.  :)

 

Thanks,

Tim

 

[Tim McLaughlin]

OK, I've been poking at this more, and it looks like I misunderstood the flow, which is not surprising to me.  :)

 

Apparently what we're seeing is the "ping" that is being done in RadiusTokenAuthenticationHandler.canPing().  The code explicitly sends the classname as it's username and password, so the behavior I reported previously is "correct".

 

What we're trying to do is to use Microsoft's Azure MFA (since we are rolling that out for our O365, etc.) via Radius.  We've got the local Radius bits all set up and tested via other means.

 

So, I think I'm into new issue for feature-request territory, yes?  I just wanted to post the follow-up in case others were looking at this same thing.  I'll take a look at the contribution guide and get something started.

 

Thanks,

Tim

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/C653A7A6-BE35-4166-BFB8-DB7BD4E749FD%40wwu.edu.

[Misagh Moayyed]

Very good.

 

As an alternative, you might also find this useful:

https://apereo.github.io/cas/development/installation/MicrosoftAzure-Authentication.html

 

--Misagh

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/EA713E1F-05EF-41B5-A813-10798392C751%40wwu.edu.

[Tim McLaughlin]

You might be my favorite person on the planet at this point.

 

Thanks for the pointer, I'll take a look!

Tim

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/03ba01d2bec3%24b40c2280%241c246780%24%40unicon.net.