Radius -MFA in cas 6.6.8

[Vikash Chandra Ansh]

Hi Everyone,

We are trying to implement radius MFA in CAS. In our case our primary authentication will be LDAP and then for MFA we need RSA.

I have also added dependency as cas-server-support-radius-mfa.

I have added the required properties like client.inet-address and shared-secert.

But still I can not see any hit on the radius server. 

Can anyone please help here.

Cas version I am using is 6.6.8.

Thanks and regards

Vikash Chandra 

[Ray Bon]

Vikash,

Is it possible there is a network issue?

Ray

On Tue, 2023-08-08 at 17:20 +0530, Vikash Chandra Ansh wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

[Vikash Chandra Ansh]

Hi Ray,

We have NW change in place. There is UDP connectivity from my cas server to radius server(unidirectional ) on port 1812 and 1813 .

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/ebab25780f77a0697d2191e2fc4e466d00d59f56.camel%40uvic.ca.

[Vikash Chandra Ansh]

Hi Ray,

Could you please suggest what all properties need to be enabled to use Radius as 2FA. My primary authentication will be LDAP

Thanks and Regards

Vikash Chandra 

[Ray Bon]

Vikash,

I have these ldap properties for cas authentication:

cas.authn.ldap[0].type=

cas.authn.ldap[0].ldapUrl=

cas.authn.ldap[0].connectTimeout=

cas.authn.ldap[0].baseDn=

cas.authn.ldap[0].subtreeSearch=

cas.authn.ldap[0].searchFilter=

cas.authn.ldap[0].bindDn=cn=

cas.authn.ldap[0].bindCredential=

I have not used Radius, so unfamiliar with it config. https://apereo.github.io/cas/6.6.x/mfa/RADIUS-Authentication.html

Ray

[Vikash Chandra Ansh]

Thanks Ray 

My LDAP authentication is working fine . On top of it I want Radius as 2FA, where I am struggling.

Anybody please help here

Thanks and regards

Vikash Chandra 

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/42932cfeeb2c1bfac9ca42c058f6017b46ab6196.camel%40uvic.ca.

[Petr Bodnár]

Vikash,

as you haven't provided much details (e.g. what you actually see in the CAS UI and in CAS logs), I can only guess that maybe, you just only haven't activated the Radius MFA provider for example via the "cas.authn.mfa.triggers.global.global-provider-id" property - see https://apereo.github.io/cas/6.6.x/mfa/Configuring-Multifactor-Authentication-Triggers-Global.html as one of the available MFA triggers.

Petr

[Vikash Chandra Ansh]

Hi Peter and Ray,

Thanks for your input. I have added the global trigger and set the value as mfa-radius.

Now I am getting type mismatch error.

Please find the logs below:-

Ignoring the received exception (org.springframework.web.util.NestedServletException:

Handler dispatch falled; nested exception is java.lang.NoClassDeffoundError: org/bouncycastle/asn1/DEROjectidentifier) due to type mismatch with handler [[

FlowHandlerMapping.DefaultFlowHandler@3b873134]]>

3823-03-31 13:40:47,365 ERROR [org.springframework.boot.web.servlet.support.ErrorPaegfilter] Forwarding to error page free request [/login) due to exception [org/bouncycastle/asn1/DERObjectIdentifier

Thanks and regards

Vikash

[Vikash Chandra Ansh]

Hi All ,

One more.observation is that, I am getting authentication success and few multifactor authentication bypass logs in server. However I haven't added any bypass mechanism

Please someone help here.

Thanks & Regards

Vikash Chandra 

[Vikash Chandra Ansh]

Hi All,

Please help here . Still the issue is not resolved yet

[Vikash Chandra Ansh]

Thanks, I'll check it out. 

On Thu, Aug 24, 2023, 8:00 PM Petr Bodnár <p.bo...@centrum.cz> wrote:

Hi Vikash,

a) regarding the NoClassDefFoundError , can you please try to add the following dependency to your Gradle (or do you use Maven?) project configuration and see if its helps?

https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on/1.63

That's the library that should contain the missing DERObjectIdentifier class. According to the contents of https://github.com/apereo/cas/blob/v6.6.8/support/cas-server-support-radius-mfa/build.gradle, it seems this library is added to the project, but only conditionally, so maybe that's the reason this information doesn't seem to get projected to the final artifact, i.e. you won't find the bcprov library listed e.g. on https://mvnrepository.com/artifact/org.apereo.cas/cas-server-support-radius-mfa/6.6.10.

b) Regarding the bypasses, I have no clue. I can only recommend checking the logs (with possibly increasing log level to DEBUG) and diff the configuration files against the CAS overlay template...

Petr

[Petr Bodnár]

Hi Vikash,

a) regarding the NoClassDefFoundError , can you please try to add the following dependency to your Gradle (or do you use Maven?) project configuration and see if its helps?

https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on/1.63

That's the library that should contain the missing DERObjectIdentifier class. According to the contents of https://github.com/apereo/cas/blob/v6.6.8/support/cas-server-support-radius-mfa/build.gradle, it seems this library is added to the project, but only conditionally, so maybe that's the reason this information doesn't seem to get projected to the final artifact, i.e. you won't find the bcprov library listed e.g. on https://mvnrepository.com/artifact/org.apereo.cas/cas-server-support-radius-mfa/6.6.10.

b) Regarding the bypasses, I have no clue. I can only recommend checking the logs (with possibly increasing log level to DEBUG) and diff the configuration files against the CAS overlay template...

Petr

On Tuesday, 22 August 2023 at 10:48:53 UTC+2 vikasha...@gmail.com wrote:

[Vikash Chandra Ansh]

Hi All, 

I have digged down the flow for Radius token MFA.

It is referring to a class RadiusMultifactorProvider where canPing() method is called. Which further calls the RadiusServer.java where authenticate method(CasRadiusResponse) is called. This method is now validating username and password against the radius server. Due to this reason only I am getting null flow execution.

Can someone suggest why this is happening as my authentication has already been successful via LDAP authentication handler. It should now go to radius token page for token check and validation.

Hi Misagh, please suggest if my understanding is valid or not

I just want the flow where authentication is done by LDAP and 2FA with Radius. Please help here 

Thanks and regards

Vikash Chandra 

[Vikash Chandra Ansh]

Thanks for the clarification Peter.

So you are saying that the username and password in canPing method radius server's inet address and shared secret respectively.

On Wed, Aug 30, 2023, 1:15 AM Petr Bodnár <p.bo...@centrum.cz> wrote:

Hi Vikash,

I'm a bit confused now - because what you describe about pinging a Radius server seems to be just fine: you can see in the source code of RadiusMultifactorAuthenticationProvider (here) that the pinging method does send a testing username and password (i.e. not the ones from the login form) and it only fails when one of TimeoutException or SocketTimeoutException is thrown from all the setup Radius servers.

So maybe your Radius server (host and/or port) is just not accessible from your CAS server? You hint above that you are using the default "cas.authn.mfa.radius.client.transport-type=UDP" and you have the appropriate UDP ports open - can you confirm this e.g. by using one of the tools listed at https://www.baeldung.com/linux/udp-port-testing?

BTW I take your message as a confirmation that adding the bcprov library to your CAS instance explicitly did help and you are solving another problem within the flow now. Feel free to correct me.

Regards

Petr

[Petr Bodnár]

Not quite like that. From the linked source code (I haven't checked it live), its looks like "RadiusMultifactorAuthenticationProvider" (name of the class) is sent as both, username and password via the canPing method.

[Petr Bodnár]

Hi Vikash,

I'm a bit confused now - because what you describe about pinging a Radius server seems to be just fine: you can see in the source code of RadiusMultifactorAuthenticationProvider (here) that the pinging method does send a testing username and password (i.e. not the ones from the login form) and it only fails when one of TimeoutException or SocketTimeoutException is thrown from all the setup Radius servers.

So maybe your Radius server (host and/or port) is just not accessible from your CAS server? You hint above that you are using the default "cas.authn.mfa.radius.client.transport-type=UDP" and you have the appropriate UDP ports open - can you confirm this e.g. by using one of the tools listed at https://www.baeldung.com/linux/udp-port-testing?

BTW I take your message as a confirmation that adding the bcprov library to your CAS instance explicitly did help and you are solving another problem within the flow now. Feel free to correct me.

Regards

Petr

On Tuesday, 29 August 2023 at 11:20:59 UTC+2 vikasha...@gmail.com wrote:

[Vikash Chandra Ansh]

Hi All,

I have checked everything from my end. But still no luck.

Misagh could.you please share your thoughts. It will be quite helpful

Thanks and regards

Vikash Chandra 

On Wed, Aug 30, 2023, 2:37 AM Vikash Chandra Ansh <vikasha...@gmail.com> wrote:

It's Network team

On Wed, Aug 30, 2023, 2:03 AM <p.bo...@centrum.cz> wrote:

Hi there,

 

what does "NW" stand for?

 

According to https://serverfault.com/questions/35218/in-windows-using-the-command-line-how-do-you-check-if-a-remote-port-is-open, they recommend either to use Portqry (download from https://www.microsoft.com/en-us/download/details.aspx?id=17148&6B49FDFB-8E5B-4B07-BC31-15695C5A2143=1, or there is also an UI version) or "a port of netcat" (download probably from https://eternallybored.org/misc/netcat/ and notice the remark about antiviruses...). I would probably go with the Portqry.

 

I don't use these tools myself (commonly testing just TCP connections), so thanks in advance to let me know about the results... :)

 

Petr

 

______________________________________________________________
> Od: "Vikash Chandra Ansh" <vikasha...@gmail.com>
> Komu: "Petr Bodnár" <p.bo...@centrum.cz>
> Datum: 29.08.2023 22:05
> Předmět: Re: [cas-user] Radius -MFA in cas 6.6.8
>

Hi Peter,

Yes transport type is UPD in our case. But however I was not able to test UDP ports on my Windows machine. I have asked my NW team, and they have confirmed that 1812 and 1813 has been enabled at destination end for my machine.

Is there any way to test in windows machine

[Vikash Chandra Ansh]

Hi All,

I am able to connect RSA and get myself authenticated. The issue was with bouncycastle jar. I have added the dependency explicitly and removed the old version manually to resolve the issue.

Hi Peter 

Could you suggest how we can add multiple inet address for RSA .

Like how the property needs to be configured

Thanks and regards

Vikash Chandra

[p.bo...@centrum.cz]

Hi Vikash,

 

congrats to making it finally work.

 

Regarding what you write about the bouncycastle.jar, this is an interesting "plot twist", because I wouldn't expect this library would relate to the connection issues you've reported lastly. Also, as I described before, I wouldn't even expect any bouncycastle.jar (bcprov.jar) be present in the cas.war, unless explicitly specified. But yeah, one always doesn't hit the target... ;)

 

> Could you suggest how we can add multiple inet address for RSA (edit: you surely mean RADIUS here).

>

> Like how the property needs to be configured

This doesn't seem to be currently possible - you can define just one address for RADIUS. If you need multiple addresses, you would have to override the bean method public BeanContainer<RadiusServer> radiusTokenServers from the RadiusTokenAuthenticationEventExecutionPlanConfiguration class - in its source code, you can see, based on the documented CAS / RADIUS properties, it creates (logically) just one RadiusServer instance and puts it to the resulting list.

Regards

Petr

______________________________________________________________
> Od: "Vikash Chandra Ansh" <vikasha...@gmail.com>

> Komu: "Petr Bodnár" <p.bo...@centrum.cz>, "CAS Community" <cas-...@apereo.org>
> Datum: 13.09.2023 11:16

You received this message because you are subscribed to a topic in the Google Groups "CAS Community" group.
To unsubscribe from this topic, visit https://groups.google.com/a/apereo.org/d/topic/cas-user/YfgtoCi4Erk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BdrvxgJ5h5KY0KE%2BwQ0%2BrnTwSY3M06wAGtUPPu4tnp0%2BkA5GA%40mail.gmail.com.

 

[Vikash Chandra Ansh]

Thanks Peter

I will check this out

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/20230913121336.FF0CC15C%40centrum.cz.