Sounds like a bug. Please open up an issue and we'll look into this.
From: Michael O Holstein [mailto:michael.holst...@csuohio.edu] Sent: Monday, July 27, 2015 10:42 AM To: cas-user@lists.jasig.org Subject: Re:[cas-user] CAS-MFA (rc6) and Radius Sorry to repost .. but even after picking through this over the weekend, I still can't find why the principal doesn't seem to get transferred between (RadiusAuthenticationHandler) back to (AuthenticationManagerImpl) This is a vanilla install pulled from cas-mfa-rc6 .. Specifically, how this : 2015-07-27 13:01:26,822 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - org.jasig.cas.adaptors.radius.authentication.handler.support.RadiusAuthent icationHandler successfully authenticated [username: 1234567] Goes to this : 2015-07-27 13:01:26,822 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - Resolved principal null The only place CredentialsToPrincipalResolver exists is here inside deployerConfigContext.xml : <bean id="authenticationManager" class="org.jasig.cas.authentication.AuthenticationManagerImpl"> <property name="credentialsToPrincipalResolvers"> <list> <bean class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsT oPrincipalResolver" > <property name="attributeRepository" ref="attributeRepository" /> </bean> and also of interest .. the first stage (LDAP) is called with this : org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrinci palResolver but the second stage (RADIUS) is called from here : org.jasig.cas.authentication.AuthenticationManagerImpl Removing the authn_method requiring 'radius-two-factor' .. and everything (auth, release) works as it should. Logging turned to 11 .. here is the relevent bits .. the username is obfuscated below, but is of all-numeric form as shown. 2015-07-27 13:01:26,822 DEBUG [net.unicon.cas.mfa.authentication.radius.JRadiusServerImpl] - Authentication request succeeded for host: [debauh1.csuohio.edu] and username [1234567] 2015-07-27 13:01:26,822 TRACE [org.jasig.cas.adaptors.radius.authentication.handler.support.RadiusAuthen ticationHandler] - Leaving method [authenticate] with return value [true]. 2015-07-27 13:01:26,822 TRACE [org.jasig.cas.authentication.principal.UsernamePasswordCredentials] - Entering method [toString with arguments [] 2015-07-27 13:01:26,822 TRACE [org.jasig.cas.authentication.principal.UsernamePasswordCredentials] - Leaving method [toString] with return value [[username: 1234567]]. 2015-07-27 13:01:26,822 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - org.jasig.cas.adaptors.radius.authentication.handler.support.RadiusAuthent icationHandler successfully authenticated [username: 1234567] 2015-07-27 13:01:26,822 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - Resolved principal null 2015-07-27 13:01:26,822 DEBUG [org.jasig.cas.authentication.AuthenticationManagerImpl] - CredentialsToPrincipalResolver found but no principal returned. 2015-07-27 13:01:26,822 TRACE [org.jasig.cas.authentication.AuthenticationManagerImpl] - Leaving method [authenticate] with return value [null]. 2015-07-27 13:01:26,822 TRACE [org.jasig.cas.authentication.handler.BadCredentialsAuthenticationExceptio n] - Entering method [getCode with arguments [] 2015-07-27 13:01:26,822 TRACE [org.jasig.cas.authentication.handler.BadCredentialsAuthenticationExceptio n] - Leaving method [getCode] with return value [error.authentication.credentials.bad]. 2015-07-27 13:01:26,824 TRACE [org.jasig.cas.authentication.handler.BadCredentialsAuthenticationExceptio n] - Entering method [toString with arguments [] 2015-07-27 13:01:26,824 TRACE [org.jasig.cas.authentication.handler.BadCredentialsAuthenticationExceptio n] - Entering method [getCode with arguments [] 2015-07-27 13:01:26,824 TRACE [org.jasig.cas.authentication.handler.BadCredentialsAuthenticationExceptio n] - Leaving method [getCode] with return value [error.authentication.credentials.bad]. 2015-07-27 13:01:26,824 TRACE [org.jasig.cas.authentication.handler.BadCredentialsAuthenticationExceptio n] - Leaving method [toString] with return value [error.authentication.credentials.bad]. 2015-07-27 13:01:26,823 ERROR [net.unicon.cas.mfa.web.flow.TerminatingMultiFactorAuthenticationViaFormAc tion] - error.authentication.credentials.bad at org.jasig.cas.authentication.hand TIA, Michael Holstein Cleveland State University _____ From: Michael O Holstein <michael.holst...@csuohio.edu <mailto:michael.holst...@csuohio.edu> > Sent: Friday, July 24, 2015 4:20 PM To: cas-user@lists.jasig.org <mailto:cas-user@lists.jasig.org> Subject: [cas-user] CAS-MFA (rc6) and Radius Any ideas as to what I've done wrong here? .. this worked fine in RC2 .. but now I get a successful LDAP auth and a successful radiusOTP auth, but somewhere in the mix the principal gets lost. CredentialsToPrincipalResolver gets invoked (and works fine on primary auth) .. how does it get lost during MFA? 2015-07-24 16:11:38,085 DEBUG [net.unicon.cas.mfa.authentication.radius.JRadiusServerImpl] - Authentication request succeeded for host: [myradius] and username [bob123] 2015-07-24 16:11:38,085 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - org.jasig.cas.adaptors.radius.authentication.handler.support.RadiusAuthent icationHandler successfully authenticated [username: bob123] 2015-07-24 16:11:38,087 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - Resolved principal null 2015-07-24 16:11:38,087 DEBUG [org.jasig.cas.authentication.AuthenticationManagerImpl] - CredentialsToPrincipalResolver found but no principal returned. 2015-07-24 16:11:38,102 ERROR [net.unicon.cas.mfa.web.flow.TerminatingMultiFactorAuthenticationViaFormAc tion] - error.authentication.credentials.bad TIA, Michael Holstein Cleveland State University -- You are currently subscribed to cas-user@lists.jasig.org <mailto:cas-user@lists.jasig.org> as: michael.holst...@csuohio.edu <mailto:michael.holst...@csuohio.edu> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org <mailto:cas-user@lists.jasig.org> as: mmoay...@unicon.net <mailto:mmoay...@unicon.net> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user