MFA RADIUS

53 views
Skip to first unread message

livio dezorzi

unread,
Jun 12, 2026, 7:25:47 AM (14 days ago) Jun 12
to CAS Community
Hi,
After successfully implementing mfa-simple, I also successfully implemented mfa-radius.
However, I have two issues regarding their use: 
 - 1. After authentication, it prompts me to enter my RSA code, but the entry page is very basic. Is it possible to customize it like mfa-simple  with a short explanatory message  ?

 - 2. In a JSON-formatted application, I want to offer the appropriate MFA if the user is a member of a multi-evaluated group containing the mfa-simple value, and vice versa with mfa-radius.
How can I configure my application ?
Thank you for your ideas.
Regards
mfa-radius.png
mfa-simple.png

livio dezorzi

unread,
Jun 12, 2026, 10:44:48 AM (13 days ago) Jun 12
to CAS Community
Hi,
For your information, I've made progress on the topic of MFA Triggers using a Groovy script as follows :

For your information, I've made progress on the topic of MFA Triggers using a Groovy script.
```
import java.util.*

def run(final Object... args) {
    def (authentication,registeredService,httpRequest,service,applicationContext,logger) = args
    logger.debug("Determine mfa provider for ${registeredService.name} and ${authentication.principal.id}")
    def groups = authentication.principal.attributes['GROUP'] as List
    logger.info('Groupes trouves : {}', groups)

    if (groups != null) {
        if (groups.toString().contains('mfa-radius')) {
            logger.info('=> Selection stricte de : mfa-radius')
            return 'mfa-radius'
        }
        if (groups.toString().contains('mfa-simple')) {
            logger.info('=> Selection stricte de : mfa-simple')
            return 'mfa-simple'
        }
    }
    logger.warn('=> Aucun groupe MFA trouve.')
    return null
}
``` 

`GROUP` being the released LDAP attribute and in json file, I use 

```
    "multifactorPolicy": {
        "@class": "org.apereo.cas.services.DefaultRegisteredServiceMultifactorPolicy",
        "script": "file:///etc/cas/config/mfa-adaptatif.groovy"
    }
```

  Now, a little customization of the MFA Radius page and everything will be perfect ;)
Regards

livio dezorzi

unread,
Jun 15, 2026, 9:05:31 AM (10 days ago) Jun 15
to CAS Community
Hi,

The only difference between the two MFAs in browser debug mode is the display of the "banner banner-info alert alert-info my-2" class as an attachment for mfa-simple, which is not displayed on mfa-radius.
I do not find who is calling this class.
Has anyone already implemented mfa-radius and found a solution to customize the OTP code entry page ?

Regards
mfa-simple-debug.png
mfa-radius-debug.png

livio dezorzi

unread,
Jun 20, 2026, 2:37:11 PM (5 days ago) Jun 20
to CAS Community
Hi,
I found the solution by extracting cas-server-support-thymeleaf and customizing the casRadiusLoginView.html file containing the error message handling.
Regards
mfa-radius-custom-error.png
mfa-radius-custom.png
Reply all
Reply to author
Forward
0 new messages