Integration CAS Server with FreeRadius Server (Versions - CAS `6.3.x` - JDK `11`)
250 views
Skip to first unread message
irvan suryadi
Nov 29, 2020, 1:40:20 PM11/29/20
to CAS Community
Hello all,
Related to the development of the CAS system using the Freeradius authenticator. I've added some configurations based on directions from the documentation on the Apereo CAS website.
However after I did some of this configuration. My freeradius server is still not responding to an authentication request from my CAS server.
Are there any other configurations required for these two servers to communicate with each other? Or is there something wrong I did in this configuration?
Regards,
Irvan
------------------------------------------------------------------------------------------------------------------
The following is my server configuration :
# Versions
- CAS `6.3.x`
- JDK `11`
# Versions
- CAS `6.3.x`
- JDK `11`
#The CAS Server :
#cas.properties file :
cas.serviceRegistry.json.location: file:/etc/cas/services
cas.authn.accept.enabled=false
server.port = 8443
cas.authn.accept.enabled=false
server.port = 8443
cas.authn.policy.required-handler-authentication-policy-enabled=true
cas.authn.policy.req.try-all=false
cas.authn.policy.req.handler-name=Radius
cas.authn.policy.req.enabled=true
cas.authn.radius.name=Radius
cas.authn.radius.server.protocol=EAP_MSCHAPv2
cas.authn.radius.server.retries=1
cas.authn.radius.client.authenticationPort=1812
cas.authn.radius.client.sharedSecret=casserver
cas.authn.radius.client.inetAddress=192.168.1.2 (my freeradius IP Address)
cas.authn.radius.client.accountingPort=1813
cas.authn.policy.req.try-all=false
cas.authn.policy.req.handler-name=Radius
cas.authn.policy.req.enabled=true
cas.authn.radius.name=Radius
cas.authn.radius.server.protocol=EAP_MSCHAPv2
cas.authn.radius.server.retries=1
cas.authn.radius.client.authenticationPort=1812
cas.authn.radius.client.sharedSecret=casserver
cas.authn.radius.client.inetAddress=192.168.1.2 (my freeradius IP Address)
cas.authn.radius.client.accountingPort=1813
#My Service Registry File (file name : application-10000001.json) :
---Location /etc/cas/services---
{
"@class" : "org.apereo.cas.services.RegexRegisteredService",
"serviceId" : "^(https|imaps)://.*",
"name" : "HTTPS and IMAPS",
"id" : 10000001,
"evaluationOrder": 99999,
"authenticationPolicy" : {
"@class" : "org.apereo.cas.services.DefaultRegisteredServiceAuthenticationPolicy",
"requiredAuthenticationHandlers" : ["java.util.TreeSet", [ "Radius" ]]
}
}
#My Build.gradle files (Dependencies Registered) :
dependencies {
if (project.hasProperty("casmodules")) {
def dependencies = project.getProperty("casmodules").split(",")
dependencies.each {
implementation "org.apereo.cas:cas-server-${it}:${casServerVersion}"
implementation "org.apereo.cas:cas-server-support-radius:${project.'cas.version'}"
implementation "org.apereo.cas:cas-server-support-simple-mfa:${project.'cas.version'}"
}
}
// https://mvnrepository.com/artifact/gnu.getopt/java-getopt
compile group: 'gnu.getopt', name: 'java-getopt', version: '1.0.13'
compile "org.apereo.cas:cas-server-webapp${project.appServer}:${casServerVersion}"
// Other CAS dependencies/modules may be listed here...
compile "org.apereo.cas:cas-server-support-json-service-registry:${casServerVersion}"
}
if (project.hasProperty("casmodules")) {
def dependencies = project.getProperty("casmodules").split(",")
dependencies.each {
implementation "org.apereo.cas:cas-server-${it}:${casServerVersion}"
implementation "org.apereo.cas:cas-server-support-radius:${project.'cas.version'}"
implementation "org.apereo.cas:cas-server-support-simple-mfa:${project.'cas.version'}"
}
}
// https://mvnrepository.com/artifact/gnu.getopt/java-getopt
compile group: 'gnu.getopt', name: 'java-getopt', version: '1.0.13'
compile "org.apereo.cas:cas-server-webapp${project.appServer}:${casServerVersion}"
// Other CAS dependencies/modules may be listed here...
compile "org.apereo.cas:cas-server-support-json-service-registry:${casServerVersion}"
}
--------------------------------------------------------------------
#My Freeradius Config for the cas server
Nas IP = 192.168.1.3 (my CAS Server IP Address)
Secret = casserver
(pictures attached)
Secret = casserver
(pictures attached)
Colin Ryan
Dec 1, 2020, 10:00:33 AM12/1/20
to irvan suryadi, cas-...@apereo.org
Irvan,
All I have is the following:
cas.authn.radius.name=Radius
cas.authn.radius.server.protocol=PAP
cas.authn.radius.server.retries=1
cas.authn.radius.client.authenticationPort=1645
cas.authn.radius.client.sharedSecret=<shared secret>
cas.authn.radius.client.inetAddress=<IP of Radius Server>
cas.authn.radius.client.accountingPort=1646
If your missing any core CAS Bits or directives it should complain loudly when you start up CAS.
As well running your freeradius (if you can) with the -xX switches will show your more than enough debugging information.
You need to get down to good old 101 level troubleshooting.
* Confirm networking 101, i.e. can you ping the Rad. Server
* Can you see packets arriving on the Radius Server?
* Your sure the shared secret/clients configuration is right/correct? (even if not again running in -xX will who the connection being dropped.
Anyhow as mentioned between running CAS with debug log levels and running FreeRadius in such levels should give you clear indications of where there are issues.
Colin
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/01610a61-ddda-4e6c-947e-b6a45c06c247n%40apereo.org.
irvan suryadi
Dec 2, 2020, 2:47:54 AM12/2/20
to CAS Community, C Ryan, irvan suryadi
hi collin,
thank you for responding to my message,
Regarding the configuration that you wrote above,
I have also changed the protocol to PAP. But it still didn't work.
Previously, I made sure that no errors occurred on my Freeradius server and my CAS server.
Related to some of your suggestions about:
* Confirm networking 101, i.e. can you ping the Rad. Server (CAS Server and Freeradius have successfully connected and I can ping each other from both servers.)
* Can you see the packets arriving on the Radius Server? (Here is the main problem collin, I can't see any packets reaching my radius server. When running freeradius -X I don't see any authentication requests from the form on the cas server go to my radius server.)
* Your sure the shared secret / clients configuration is right / correct? (I've also made sure the shared server and clients config on the Freeradius server are correct.
(Even if not again running in -xX will who the connection being dropped). About this I've done freeradius to debug. I don't get an error message. However, I saw a warning message and I will write this message below:
Tue Dec 1 22:19:39 2020: Warning: /etc/freeradius/3.0/mods-config/sql/main/mysql/queries.conf[362]: The item '-query' is defined, but is unused by the configuration
Tue Dec 1 22:19:39 2020: Warning: /etc/freeradius/3.0/mods-config/sql/main/mysql/queries.conf[471]: The item '-query' is defined, but is unused by the configuration
Tue Dec 1 22:19:39 2020: Warning: /etc/freeradius/3.0/mods-config/sql/main/mysql/queries.conf[563]: The item '-query' is defined, but is unused by the configuration
Tue Dec 1 22:19:39 2020: Warning: Please use tls_min_version and tls_max_version instead of disable_tlsv1
Tue Dec 1 22:19:39 2020: Warning: Please use tls_min_version and tls_max_version instead of disable_tlsv1_2
Tue Dec 1 22:19:39 2020: Warning: Ignoring "ldap" (see raddb / mods-available / README.rst)
Is this something that missing, about my config?
I just wondering why there are no packets arriving to the Radius Server from my cas server.
Thanks colling,
irvan
Reply all
Reply to author
Forward
0 new messages