Hi All,
I'm brand new to CAS but have managed to get all of the components together
for a working CAS-3.4.6 with RADIUS as the authentication backend.
I'm running the CAS server on RHAS 5.5 with tomcat 7.0.8 and
freeradius-2.1.8 as the radius server.
I start CAS and don't get any errors and the 1st authentication to via CAS
to the radius box works no problem. However any subsequent auths all fail as
the CAS server mangles the password in some way as it passes it off to the
radius box.
Is anyone successfully running CAS with RADIUS backends?
I've included debug info from both the CAS server and the RADIUS server. If
anyone's got some helpful tips I'd really appreciate it. I'm not a java guy
at all so it took quite some time to get this far.
Cheers,
Harry
Here's some info:
[From /app/tomcat/logs/catalina.out]
Mar 28, 2011 1:05:44 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 7837 ms
2011-03-28 13:06:01,287 INFO
[org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] -
<Beginning ticket cleanup.>
2011-03-28 13:06:01,288 INFO
[org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - <0
tickets found to be removed.>
2011-03-28 13:06:01,289 INFO
[org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] -
<Finished ticket cleanup.>
2011-03-28 13:07:12,086 INFO [org.jasig.cas.web.flow.InitialFlowSetupAction]
- <Setting path for cookies to: /cas>
2011-03-28 13:07:20,150 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
<AuthenticationHandler:
org.jasig.cas.adaptors.radius.authentication.handler.support.RadiusAuthentic
ationHandler successfully authenticated the user which provided the
following credentials: [username: hhoffman]>
2011-03-28 13:07:20,154 INFO
[com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
trail record BEGIN
=============================================================
WHO: [username: hhoffman]
WHAT: supplied credentials: [username: hhoffman]
ACTION: AUTHENTICATION_SUCCESS
APPLICATION: CAS
WHEN: Mon Mar 28 13:07:20 EDT 2011
CLIENT IP ADDRESS: 192.168.17.140
SERVER IP ADDRESS: 172.16.38.128
=============================================================
>
2011-03-28 13:07:20,157 INFO
[com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
trail record BEGIN
=============================================================
WHO: [username: hhoffman]
WHAT: TGT-1-JRH4VL55badAVyq7IDeCAcbIF20b7DZcwsnEvRAk5zLbrnUmqh-cas
ACTION: TICKET_GRANTING_TICKET_CREATED
APPLICATION: CAS
WHEN: Mon Mar 28 13:07:20 EDT 2011
CLIENT IP ADDRESS: 192.168.17.140
SERVER IP ADDRESS: 172.16.38.128
=============================================================
>
2011-03-28 13:07:31,321 INFO
[com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
trail record BEGIN
=============================================================
WHO: audit:unknown
WHAT: TGT-1-JRH4VL55badAVyq7IDeCAcbIF20b7DZcwsnEvRAk5zLbrnUmqh-cas
ACTION: TICKET_GRANTING_TICKET_DESTROYED
APPLICATION: CAS
WHEN: Mon Mar 28 13:07:31 EDT 2011
CLIENT IP ADDRESS: 192.168.17.140
SERVER IP ADDRESS: 172.16.38.128
=============================================================
>
2011-03-28 13:07:41,536 INFO
[org.jasig.cas.services.DefaultServicesManagerImpl] - <Reloading registered
services.>
2011-03-28 13:07:41,536 INFO
[org.jasig.cas.services.DefaultServicesManagerImpl] - <Loaded 4 services.>
2011-03-28 13:07:44,322 INFO
[org.jasig.cas.authentication.AuthenticationManagerImpl] -
<AuthenticationHandler:
org.jasig.cas.adaptors.radius.authentication.handler.support.RadiusAuthentic
ationHandler failed to authenticate the user which provided the following
credentials: [username: hhoffman]>
2011-03-28 13:07:44,322 INFO
[com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
trail record BEGIN
=============================================================
WHO: [username: hhoffman]
WHAT: supplied credentials: [username: hhoffman]
ACTION: AUTHENTICATION_FAILED
APPLICATION: CAS
WHEN: Mon Mar 28 13:07:44 EDT 2011
CLIENT IP ADDRESS: 192.168.17.140
SERVER IP ADDRESS: 172.16.38.128
=============================================================
>
2011-03-28 13:07:44,323 INFO
[com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit
trail record BEGIN
=============================================================
WHO: [username: hhoffman]
WHAT: error.authentication.credentials.bad
ACTION: TICKET_GRANTING_TICKET_NOT_CREATED
APPLICATION: CAS
WHEN: Mon Mar 28 13:07:44 EDT 2011
CLIENT IP ADDRESS: 192.168.17.140
SERVER IP ADDRESS: 172.16.38.128
=============================================================
[From the radius server debug - FIRST ATTEMPT PASSWORD LOOKS JUST FINE]
Ready to process requests.
rad_recv: Access-Request packet from host 172.16.38.128 port 40102, id=2,
length=62
User-Name = "hhoffman"
User-Password = "TestPassword"
Message-Authenticator = 0xa71add575f352954035ef77234d6d6b1
+- entering group authorize {...}
++[preprocess] returns ok
...
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
[ldap] user hhoffman authenticated succesfully
+++[ldap] returns ok
++- group returns ok
expand: Auth-Type: %{control:Auth-Type} -> Auth-Type: ldap_ntlm
Login OK: [hhoffman] (from client castest port 0) Auth-Type: ldap_ntlm
(THIS IS THE SECOND ATTEMPT AND LOOK AT HOW THE PASSWORD IS NOW MANGLED)
Ready to process requests.
rad_recv: Access-Request packet from host 172.16.38.128 port 43670, id=3,
length=55
User-Name = "hhoffman"
User-Password = "\ry\251\200!>(\2047"
Message-Authenticator = 0xa87b5f47907bbadb0bd83cf8aed703d6
+- entering group authorize {...}
Needless to say it fails here and I have to restart the webapp before
another authentication will work.
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
