RADIUS (without MFA) as handler.User was authenticated with wrong password.

[artur mis]

Hello,

 I am  struggling  with configuration RADIUS without MFA as auth handler. I do don't if it is possible but im working on it without possitive result yet but im close to give up

cas ver:6.4.62

cas.propierties:

#RADIUS

cas.authn.radius.server.nas-port-id=-1
cas.authn.radius.server.nas-real-port=-1
cas.authn.radius.server.protocol=EAP_MSCHAPv2
cas.authn.radius.server.retries=3
cas.authn.radius.server.nas-port-type=-1
cas.authn.radius.server.nas-port=-1
cas.authn.radius.server.nas-ip-address=
cas.authn.radius.server.nas-ipv6-address=
cas.authn.radius.server.nas-identifier=-1
cas.authn.radius.client.authentication-port=1812
cas.authn.radius.client.shared-secret=xxxxxxxxx
cas.authn.radius.client.socket-timeout=0
cas.authn.radius.client.inet-address=IP Radius server
cas.authn.radius.client.accounting-port=1813

cas.authn.radius.name=Radius
cas.authn.radius.failover-on-exception=false

cas.authn.radius.failover-on-authentication-failure=false

log:

2022-04-06 14:43:28,134 DEBUG [org.apereo.cas.adaptors.radius.server.AbstractRadiusServer] - <RADIUS access request prepared as [Class: class net.jradius.packet.AccessRequest
Attributes:
User-Name := kowalski@xx
User-Password := [Encrypted String]
Client-IP-Address := IPhost_from_i_tested_it
NAS-Identifier := -1
]>
2022-04-06 14:43:28,199 DEBUG [org.apereo.cas.adaptors.radius.server.AbstractRadiusServer] - <RADIUS response from [radius.xx]: [net.jradius.packet.AccessChallenge] as [Class: class net.jradius.packet.AccessChallenge
Attributes:
EAP-Message = [Binary Data (length=6)]
Message-Authenticator = [Binary Data (length=16)]
State = [Binary Data (length=16)]
]>
2022-04-06 14:43:28,199 DEBUG [org.apereo.cas.adaptors.radius.server.AbstractRadiusServer] - <Radius response code [11] accepted with attributes [[EAP-Message = [Binary Data (length=6)], Message-Authenticator = [Binary Data (length=16)], State = [Binary Data (length=16)]]] and identifier [2]>
2022-04-06 14:43:28,201 DEBUG [org.apereo.cas.authentication.DefaultAuthenticationManager] - <Authentication handler [Radius] successfully authenticated [UsernamePasswordCredential(username=kowalski@xx, source=null, customFields={})]>

Problem:kowalski  has got abbility to log in to cas with wrong password.

I have tested  radius connection from cas serwer with tool eapol_test with settings:

I recived  code 2 from Radius,so is ok.

TEST possitive with code 11

./eapol_test -c file.conf -a IP_radius_serwer -s xxxxxxxx

network={
        ssid="example"
        key_mgmt=WPA-EAP
        eap=PEAP
        identity="kowalski@xx"
        anonymous_identity="@xx"
        password="xxxx"
        phase2="auth=MSCHAPV2"
}

Radius codes:

Assigned RADIUS Codes (decimal) include the following:[8]

Code
Assignment
1
Access-Request
2
Access-Accept
3
Access-Reject
4
Accounting-Request
5
Accounting-Response
11
Access-Challenge

Q2: Is is possibe use Radius Handler  to auth user via Radius without MFA ?