[jira] [Commented] (GUACAMOLE-197) Implement Support for RADIUS Authentication
[ https://issues.apache.org/jira/browse/GUACAMOLE-197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16037634#comment-16037634 ] Colin Gordon commented on GUACAMOLE-197: [~nick.couch...@yahoo.com] Correct, it looks like it would need to be a DB + RADIUS implementation, since there is not a way currently to return connection information from a RADIUS server like with LDAP. My guess is that yes, it would require the creation of connection "groups" on the Guac side, then the returned RADIUS attributes could correspond to the groups. RADIUS accounting is not critical since we can grab log info via Syslog, but I support RADIUS interim-updates with similar Syslog-like data would be nice. I would love to contribute code if I had the skill. I'm more of an implementation and systems specialist. Thanks! > Implement Support for RADIUS Authentication > --- > > Key: GUACAMOLE-197 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-197 > Project: Guacamole > Issue Type: Improvement > Components: guacamole, guacamole-client >Reporter: Nick Couchman >Assignee: Nick Couchman >Priority: Minor > Fix For: 0.9.14-incubating > > > Working on implementing a RADIUS authentication module - > guacamole-auth-radius. The basic implementation is completed - with a basic > PAP or CHAP RADIUS server, the authentication succeeds and the user is logged > in. > I'm running into an issue, though, trying to implement Challenge/Response in > RADIUS. I have my RADIUS server configured to talk to LinOTP for MFA/2FA, > and RADIUS sends the AccessChallenge package back, asking for the second > factor. My issue is in my continual failure to grasp the connection between > the servlet side and the AngularJS web application. I've copied the Duo > authentication code and tried to morph it into something that will present > another box for the RADIUS challenge, but I can't get my controller function > to actually fire. > Once that is working, I'd like to support other RADIUS authentication > protocols, like EAP-TLS and EAP-TTLS, so there's a little more work to be > done, but right now I'm focusing on the basic protocols and the > challenge/response. > Will have a repo posted here in a moment for working on this. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (GUACAMOLE-197) Implement Support for RADIUS Authentication
[
https://issues.apache.org/jira/browse/GUACAMOLE-197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16037421#comment-16037421
]
Nick Couchman commented on GUACAMOLE-197:
-
{quote}
Hello, I love that Guacamole is including RADIUS auth. I routinely use OpenOTP
as a 2factor RADIUS server, and enabling Guacamole as a RADIUS client will make
it eminently more useful for my purposes.
{quote}
Glad to hear I'm not the only one interested in it.
{quote}
One additional feature I hope this project may consider adding is the ability
to filter which configuration a user has access to upon authentication. With
LDAP, Guacamole has the ability to provide a user access to a configuration
based on which LDAP group the user is a member of (see here
https://guacamole.incubator.apache.org/doc/0.9.3/gug/ldap-auth.html). This can
be done with RADIUS as well, but requires the RADIUS client implementation to
"look" at attributes that are returned by the RADIUS server.
{quote}
I have plans (in my head, anyway) to expand RADIUS support in Guacamole later
on for both authorization and accounting features, which I think would cover
what you're talking about, here. At the moment, this extension only does
authentication and relies on other stacked authentication modules to provide
the actual connection information. The feature that you're referencing in the
LDAP Authentication module works when the connections are stored in LDAP, and
the LDAP directory is used for both authentication and connection information.
If you layer LDAP with DB, you're left with the same challenge - the
connections in the DB layer must be managed apart from the directory tree.
I think there's also a JIRA issue opened at the moment to add group support to
the Guacamole client, which would also probably address the challenges, here -
I would image that would also resolve the challenge you're facing of having to
administer user/connection permissions on an individual basis. The combination
of the two - groups in Guacamole and an improved RADIUS module - is certainly
an ideal place to get.
If you're able to contribute code to the effort I'd welcome the contribution!
> Implement Support for RADIUS Authentication
> ---
>
> Key: GUACAMOLE-197
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-197
> Project: Guacamole
> Issue Type: Improvement
> Components: guacamole, guacamole-client
>Reporter: Nick Couchman
>Assignee: Nick Couchman
>Priority: Minor
> Fix For: 0.9.14-incubating
>
>
> Working on implementing a RADIUS authentication module -
> guacamole-auth-radius. The basic implementation is completed - with a basic
> PAP or CHAP RADIUS server, the authentication succeeds and the user is logged
> in.
> I'm running into an issue, though, trying to implement Challenge/Response in
> RADIUS. I have my RADIUS server configured to talk to LinOTP for MFA/2FA,
> and RADIUS sends the AccessChallenge package back, asking for the second
> factor. My issue is in my continual failure to grasp the connection between
> the servlet side and the AngularJS web application. I've copied the Duo
> authentication code and tried to morph it into something that will present
> another box for the RADIUS challenge, but I can't get my controller function
> to actually fire.
> Once that is working, I'd like to support other RADIUS authentication
> protocols, like EAP-TLS and EAP-TTLS, so there's a little more work to be
> done, but right now I'm focusing on the basic protocols and the
> challenge/response.
> Will have a repo posted here in a moment for working on this.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
[jira] [Commented] (GUACAMOLE-197) Implement Support for RADIUS Authentication
[
https://issues.apache.org/jira/browse/GUACAMOLE-197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16037410#comment-16037410
]
Colin Gordon commented on GUACAMOLE-197:
Hello, I love that Guacamole is including RADIUS auth. I routinely use OpenOTP
as a 2factor RADIUS server, and enabling Guacamole as a RADIUS client will make
it eminently more useful for my purposes.
One additional feature I hope this project may consider adding is the ability
to filter which configuration a user has access to upon authentication. With
LDAP, Guacamole has the ability to provide a user access to a configuration
based on which LDAP group the user is a member of (see here
https://guacamole.incubator.apache.org/doc/0.9.3/gug/ldap-auth.html). This can
be done with RADIUS as well, but requires the RADIUS client implementation to
"look" at attributes that are returned by the RADIUS server.
Many vendors implement this feature via vendor-specific attributes. This would
require Guacamole to have its own RADIUS dictionary. However, Guacamole could
choose to simple check the RADIUS Class attribute, and allow the user access to
a configuration that matches the string within the Class attribute (see here:
https://tools.ietf.org/html/rfc2865#page-46). This would allow a user logging
in to view the "admins" configuration, if the Class attribute return "admins"
(in FreeRADIUS, "Class := "admins"). You could even expand it to allow access
to multiple configurations by using a delimiter ("Class :=
"admins;RDPUsers;SSHUsers").
Anyway, thanks for RADIUS support!
> Implement Support for RADIUS Authentication
> ---
>
> Key: GUACAMOLE-197
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-197
> Project: Guacamole
> Issue Type: Improvement
> Components: guacamole, guacamole-client
>Reporter: Nick Couchman
>Assignee: Nick Couchman
>Priority: Minor
> Fix For: 0.9.14-incubating
>
>
> Working on implementing a RADIUS authentication module -
> guacamole-auth-radius. The basic implementation is completed - with a basic
> PAP or CHAP RADIUS server, the authentication succeeds and the user is logged
> in.
> I'm running into an issue, though, trying to implement Challenge/Response in
> RADIUS. I have my RADIUS server configured to talk to LinOTP for MFA/2FA,
> and RADIUS sends the AccessChallenge package back, asking for the second
> factor. My issue is in my continual failure to grasp the connection between
> the servlet side and the AngularJS web application. I've copied the Duo
> authentication code and tried to morph it into something that will present
> another box for the RADIUS challenge, but I can't get my controller function
> to actually fire.
> Once that is working, I'd like to support other RADIUS authentication
> protocols, like EAP-TLS and EAP-TTLS, so there's a little more work to be
> done, but right now I'm focusing on the basic protocols and the
> challenge/response.
> Will have a repo posted here in a moment for working on this.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
[jira] [Commented] (GUACAMOLE-197) Implement Support for RADIUS Authentication
[ https://issues.apache.org/jira/browse/GUACAMOLE-197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15967866#comment-15967866 ] Nick Couchman commented on GUACAMOLE-197: - Opened up LEGAL-299 to ask for legal guidance on including the source for this in the main Guacamole code. We'll see what they say... > Implement Support for RADIUS Authentication > --- > > Key: GUACAMOLE-197 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-197 > Project: Guacamole > Issue Type: Improvement > Components: guacamole, guacamole-client >Reporter: Nick Couchman >Priority: Minor > Fix For: 0.9.13-incubating > > > Working on implementing a RADIUS authentication module - > guacamole-auth-radius. The basic implementation is completed - with a basic > PAP or CHAP RADIUS server, the authentication succeeds and the user is logged > in. > I'm running into an issue, though, trying to implement Challenge/Response in > RADIUS. I have my RADIUS server configured to talk to LinOTP for MFA/2FA, > and RADIUS sends the AccessChallenge package back, asking for the second > factor. My issue is in my continual failure to grasp the connection between > the servlet side and the AngularJS web application. I've copied the Duo > authentication code and tried to morph it into something that will present > another box for the RADIUS challenge, but I can't get my controller function > to actually fire. > Once that is working, I'd like to support other RADIUS authentication > protocols, like EAP-TLS and EAP-TTLS, so there's a little more work to be > done, but right now I'm focusing on the basic protocols and the > challenge/response. > Will have a repo posted here in a moment for working on this. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (GUACAMOLE-197) Implement Support for RADIUS Authentication
[
https://issues.apache.org/jira/browse/GUACAMOLE-197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15963273#comment-15963273
]
Nick Couchman commented on GUACAMOLE-197:
-
{quote}
There's currently a bug that I need to fix for the build process to exclude
some JAR signatures. You currently have to work around it by removing two files
from the resulting JAR file: META-INF/BCKEY.SF and META-INF/BCKEY.DSA.
{quote}
Just committed a change to fix this issue, so you should just be able to build
and use the resulting JAR file in your /etc/guacamole/extensions directory.
> Implement Support for RADIUS Authentication
> ---
>
> Key: GUACAMOLE-197
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-197
> Project: Guacamole
> Issue Type: Improvement
> Components: guacamole, guacamole-client
>Reporter: Nick Couchman
>Priority: Minor
> Fix For: 0.9.13-incubating
>
>
> Working on implementing a RADIUS authentication module -
> guacamole-auth-radius. The basic implementation is completed - with a basic
> PAP or CHAP RADIUS server, the authentication succeeds and the user is logged
> in.
> I'm running into an issue, though, trying to implement Challenge/Response in
> RADIUS. I have my RADIUS server configured to talk to LinOTP for MFA/2FA,
> and RADIUS sends the AccessChallenge package back, asking for the second
> factor. My issue is in my continual failure to grasp the connection between
> the servlet side and the AngularJS web application. I've copied the Duo
> authentication code and tried to morph it into something that will present
> another box for the RADIUS challenge, but I can't get my controller function
> to actually fire.
> Once that is working, I'd like to support other RADIUS authentication
> protocols, like EAP-TLS and EAP-TTLS, so there's a little more work to be
> done, but right now I'm focusing on the basic protocols and the
> challenge/response.
> Will have a repo posted here in a moment for working on this.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
[jira] [Commented] (GUACAMOLE-197) Implement Support for RADIUS Authentication
[
https://issues.apache.org/jira/browse/GUACAMOLE-197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15963267#comment-15963267
]
Nick Couchman commented on GUACAMOLE-197:
-
{quote}
It is possible to use this now? I just installed 0.9.12, and I have a RADIUS
server that I'd like to try using guac against. I'm a newb though, and don't
know how to install this. I have guac 0.9.12 running on Ubuntu.
{quote}
You're certainly welcome to check out the source code from my fork of the repo
and try it out:
https://github.com/necouchman/incubator-guacamole-client/tree/GUACAMOLE-197
There are some things to know about it:
-You have to build it yourself, there are no pre-compiled WARs/JARs for it,
and, actually, for this extension, probably never will be (due to some
licensing issues). Building is pretty easy - you need a Java compiler (Oracle
JDK, for example) and Maven, and then you just do "mvn package" - instructions
are in the main readme file.
- This particular branch of the incubator-guacamole-client tree lags behind the
Apache master by several commits (51), so there are probably some fixes and
functionality changes that you'd be missing.
- There's currently a bug that I need to fix for the build process to exclude
some JAR signatures. You currently have to work around it by removing two
files from the resulting JAR file: META-INF/BCKEY.SF and META-INF/BCKEY.DSA.
Also, since it hasn't been merged into the main code, yet, the documentation
also hasn't been updated. The config parameters are as follows:
radius-server
radius-auth-port
radius-acct-port
radius-shared-secret
radius-auth-protocol
radius-key-file
radius-key-type
radius-ca-file
radius-ca-type
radius-eap-ttls-inner-protocol
Feel free to let me know if you encounter any bugs.
> Implement Support for RADIUS Authentication
> ---
>
> Key: GUACAMOLE-197
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-197
> Project: Guacamole
> Issue Type: Improvement
> Components: guacamole, guacamole-client
>Reporter: Nick Couchman
>Priority: Minor
> Fix For: 0.9.13-incubating
>
>
> Working on implementing a RADIUS authentication module -
> guacamole-auth-radius. The basic implementation is completed - with a basic
> PAP or CHAP RADIUS server, the authentication succeeds and the user is logged
> in.
> I'm running into an issue, though, trying to implement Challenge/Response in
> RADIUS. I have my RADIUS server configured to talk to LinOTP for MFA/2FA,
> and RADIUS sends the AccessChallenge package back, asking for the second
> factor. My issue is in my continual failure to grasp the connection between
> the servlet side and the AngularJS web application. I've copied the Duo
> authentication code and tried to morph it into something that will present
> another box for the RADIUS challenge, but I can't get my controller function
> to actually fire.
> Once that is working, I'd like to support other RADIUS authentication
> protocols, like EAP-TLS and EAP-TTLS, so there's a little more work to be
> done, but right now I'm focusing on the basic protocols and the
> challenge/response.
> Will have a repo posted here in a moment for working on this.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
[jira] [Commented] (GUACAMOLE-197) Implement Support for RADIUS Authentication
[ https://issues.apache.org/jira/browse/GUACAMOLE-197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15963203#comment-15963203 ] Carlo Grossman commented on GUACAMOLE-197: -- It is possible to use this now? I just installed 0.9.12, and I have a RADIUS server that I'd like to try using guac against. I'm a newb though, and don't know how to install this. I have guac 0.9.12 running on Ubuntu. > Implement Support for RADIUS Authentication > --- > > Key: GUACAMOLE-197 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-197 > Project: Guacamole > Issue Type: Improvement > Components: guacamole, guacamole-client >Reporter: Nick Couchman >Priority: Minor > Fix For: 0.9.13-incubating > > > Working on implementing a RADIUS authentication module - > guacamole-auth-radius. The basic implementation is completed - with a basic > PAP or CHAP RADIUS server, the authentication succeeds and the user is logged > in. > I'm running into an issue, though, trying to implement Challenge/Response in > RADIUS. I have my RADIUS server configured to talk to LinOTP for MFA/2FA, > and RADIUS sends the AccessChallenge package back, asking for the second > factor. My issue is in my continual failure to grasp the connection between > the servlet side and the AngularJS web application. I've copied the Duo > authentication code and tried to morph it into something that will present > another box for the RADIUS challenge, but I can't get my controller function > to actually fire. > Once that is working, I'd like to support other RADIUS authentication > protocols, like EAP-TLS and EAP-TTLS, so there's a little more work to be > done, but right now I'm focusing on the basic protocols and the > challenge/response. > Will have a repo posted here in a moment for working on this. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (GUACAMOLE-197) Implement Support for RADIUS Authentication
[ https://issues.apache.org/jira/browse/GUACAMOLE-197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15861944#comment-15861944 ] Nick Couchman commented on GUACAMOLE-197: - MS-CHAP varieties should also be working. I found that the JRadius simulator behaves identically with PEAP as the current implementation for the Guacamole module, so I'm fairly confident it's either my configuration of FreeRADIUS or something internal to the JRadius implementation. Pull request coming soon. > Implement Support for RADIUS Authentication > --- > > Key: GUACAMOLE-197 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-197 > Project: Guacamole > Issue Type: Improvement > Components: guacamole, guacamole-client >Affects Versions: 0.9.11-incubating >Reporter: Nick Couchman >Priority: Minor > > Working on implementing a RADIUS authentication module - > guacamole-auth-radius. The basic implementation is completed - with a basic > PAP or CHAP RADIUS server, the authentication succeeds and the user is logged > in. > I'm running into an issue, though, trying to implement Challenge/Response in > RADIUS. I have my RADIUS server configured to talk to LinOTP for MFA/2FA, > and RADIUS sends the AccessChallenge package back, asking for the second > factor. My issue is in my continual failure to grasp the connection between > the servlet side and the AngularJS web application. I've copied the Duo > authentication code and tried to morph it into something that will present > another box for the RADIUS challenge, but I can't get my controller function > to actually fire. > Once that is working, I'd like to support other RADIUS authentication > protocols, like EAP-TLS and EAP-TTLS, so there's a little more work to be > done, but right now I'm focusing on the basic protocols and the > challenge/response. > Will have a repo posted here in a moment for working on this. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (GUACAMOLE-197) Implement Support for RADIUS Authentication
[ https://issues.apache.org/jira/browse/GUACAMOLE-197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15861880#comment-15861880 ] Nick Couchman commented on GUACAMOLE-197: - Okay, confirmed that the following RADIUS protocols work correctly: PAP, CHAP, EAP-MD5, EAP-TLS, and EAP-TTLS. I cannot get PEAP to work at the moment - there's an issue opened on the JRadius github project with another user having a similar issue, and I'm uncertain if it's an implementation issue in my code or in the JRadius code. I'm tempted to go ahead and submit a PR for this as-is with the caveat that PEAP does not work, and address PEAP later, but will definitely continue to hammer on PEAP and see if I can figure out what I'm not doing quite right. > Implement Support for RADIUS Authentication > --- > > Key: GUACAMOLE-197 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-197 > Project: Guacamole > Issue Type: Improvement > Components: guacamole, guacamole-client >Affects Versions: 0.9.11-incubating >Reporter: Nick Couchman >Priority: Minor > > Working on implementing a RADIUS authentication module - > guacamole-auth-radius. The basic implementation is completed - with a basic > PAP or CHAP RADIUS server, the authentication succeeds and the user is logged > in. > I'm running into an issue, though, trying to implement Challenge/Response in > RADIUS. I have my RADIUS server configured to talk to LinOTP for MFA/2FA, > and RADIUS sends the AccessChallenge package back, asking for the second > factor. My issue is in my continual failure to grasp the connection between > the servlet side and the AngularJS web application. I've copied the Duo > authentication code and tried to morph it into something that will present > another box for the RADIUS challenge, but I can't get my controller function > to actually fire. > Once that is working, I'd like to support other RADIUS authentication > protocols, like EAP-TLS and EAP-TTLS, so there's a little more work to be > done, but right now I'm focusing on the basic protocols and the > challenge/response. > Will have a repo posted here in a moment for working on this. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (GUACAMOLE-197) Implement Support for RADIUS Authentication
[ https://issues.apache.org/jira/browse/GUACAMOLE-197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15860128#comment-15860128 ] Nick Couchman commented on GUACAMOLE-197: - Latest commit to my branch results in working PAP, CHAP, and EAP-MD5 authentication protocols via RADIUS. Next stop: TLS varieties - PEAP, EAP-TLS, and EAP-TTLS. > Implement Support for RADIUS Authentication > --- > > Key: GUACAMOLE-197 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-197 > Project: Guacamole > Issue Type: Improvement > Components: guacamole, guacamole-client >Affects Versions: 0.9.11-incubating >Reporter: Nick Couchman >Priority: Minor > > Working on implementing a RADIUS authentication module - > guacamole-auth-radius. The basic implementation is completed - with a basic > PAP or CHAP RADIUS server, the authentication succeeds and the user is logged > in. > I'm running into an issue, though, trying to implement Challenge/Response in > RADIUS. I have my RADIUS server configured to talk to LinOTP for MFA/2FA, > and RADIUS sends the AccessChallenge package back, asking for the second > factor. My issue is in my continual failure to grasp the connection between > the servlet side and the AngularJS web application. I've copied the Duo > authentication code and tried to morph it into something that will present > another box for the RADIUS challenge, but I can't get my controller function > to actually fire. > Once that is working, I'd like to support other RADIUS authentication > protocols, like EAP-TLS and EAP-TTLS, so there's a little more work to be > done, but right now I'm focusing on the basic protocols and the > challenge/response. > Will have a repo posted here in a moment for working on this. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (GUACAMOLE-197) Implement Support for RADIUS Authentication
[ https://issues.apache.org/jira/browse/GUACAMOLE-197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15859591#comment-15859591 ] Nick Couchman commented on GUACAMOLE-197: - Reorganized the code a bit. Need to get a RADIUS server set up to test out some of the TLS protocols and make sure those work, but so far so good. I am having trouble with MAVEN and signed modules. The jradius-extended dependency pulls in another one called BouncyCastle, which is a SSL/TLS implementation for Java. One of those modules is signed, and it's causing all sorts of trouble getting the RADIUS Authentication module to load. I tried several incantations for a couple hours yesterday to get MAVEN to filter out the signing files when building the RADIUS jar file, to no avail. I can post more info, if needed, but any suggestions there would be appreciated. For the time being I've resorted to manually using the zip command to remove the signatures from the resulting JAR...obviously that's a poor long-term solution. > Implement Support for RADIUS Authentication > --- > > Key: GUACAMOLE-197 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-197 > Project: Guacamole > Issue Type: Improvement > Components: guacamole, guacamole-client >Affects Versions: 0.9.11-incubating >Reporter: Nick Couchman >Priority: Minor > > Working on implementing a RADIUS authentication module - > guacamole-auth-radius. The basic implementation is completed - with a basic > PAP or CHAP RADIUS server, the authentication succeeds and the user is logged > in. > I'm running into an issue, though, trying to implement Challenge/Response in > RADIUS. I have my RADIUS server configured to talk to LinOTP for MFA/2FA, > and RADIUS sends the AccessChallenge package back, asking for the second > factor. My issue is in my continual failure to grasp the connection between > the servlet side and the AngularJS web application. I've copied the Duo > authentication code and tried to morph it into something that will present > another box for the RADIUS challenge, but I can't get my controller function > to actually fire. > Once that is working, I'd like to support other RADIUS authentication > protocols, like EAP-TLS and EAP-TTLS, so there's a little more work to be > done, but right now I'm focusing on the basic protocols and the > challenge/response. > Will have a repo posted here in a moment for working on this. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (GUACAMOLE-197) Implement Support for RADIUS Authentication
[ https://issues.apache.org/jira/browse/GUACAMOLE-197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15857290#comment-15857290 ] Nick Couchman commented on GUACAMOLE-197: - Okay, working module, and the prompt for the additional response looks much better, and should be relatively translation-friendly. Now I need to work on steps necessary to support the additional RADIUS authentication protocols, which will probably mean reorganizing some of the code in the RadiusConnectionService class. > Implement Support for RADIUS Authentication > --- > > Key: GUACAMOLE-197 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-197 > Project: Guacamole > Issue Type: Improvement > Components: guacamole, guacamole-client >Affects Versions: 0.9.11-incubating >Reporter: Nick Couchman >Priority: Minor > > Working on implementing a RADIUS authentication module - > guacamole-auth-radius. The basic implementation is completed - with a basic > PAP or CHAP RADIUS server, the authentication succeeds and the user is logged > in. > I'm running into an issue, though, trying to implement Challenge/Response in > RADIUS. I have my RADIUS server configured to talk to LinOTP for MFA/2FA, > and RADIUS sends the AccessChallenge package back, asking for the second > factor. My issue is in my continual failure to grasp the connection between > the servlet side and the AngularJS web application. I've copied the Duo > authentication code and tried to morph it into something that will present > another box for the RADIUS challenge, but I can't get my controller function > to actually fire. > Once that is working, I'd like to support other RADIUS authentication > protocols, like EAP-TLS and EAP-TTLS, so there's a little more work to be > done, but right now I'm focusing on the basic protocols and the > challenge/response. > Will have a repo posted here in a moment for working on this. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (GUACAMOLE-197) Implement Support for RADIUS Authentication
[ https://issues.apache.org/jira/browse/GUACAMOLE-197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15856728#comment-15856728 ] Nick Couchman commented on GUACAMOLE-197: - Finally, figured out the right incantation of JRadius methods to get the state out in a sane fashion. Will have updated code committed here, shortly. This particular module should be functional now for PAP, CHAP, and several MS-CHAP RADIUS protocols - basically anything that doesn't require extra security like TLS. I need to fix some display issues with the Challenge/Response prompt, as well. > Implement Support for RADIUS Authentication > --- > > Key: GUACAMOLE-197 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-197 > Project: Guacamole > Issue Type: Improvement > Components: guacamole, guacamole-client >Affects Versions: 0.9.11-incubating >Reporter: Nick Couchman >Priority: Minor > > Working on implementing a RADIUS authentication module - > guacamole-auth-radius. The basic implementation is completed - with a basic > PAP or CHAP RADIUS server, the authentication succeeds and the user is logged > in. > I'm running into an issue, though, trying to implement Challenge/Response in > RADIUS. I have my RADIUS server configured to talk to LinOTP for MFA/2FA, > and RADIUS sends the AccessChallenge package back, asking for the second > factor. My issue is in my continual failure to grasp the connection between > the servlet side and the AngularJS web application. I've copied the Duo > authentication code and tried to morph it into something that will present > another box for the RADIUS challenge, but I can't get my controller function > to actually fire. > Once that is working, I'd like to support other RADIUS authentication > protocols, like EAP-TLS and EAP-TTLS, so there's a little more work to be > done, but right now I'm focusing on the basic protocols and the > challenge/response. > Will have a repo posted here in a moment for working on this. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (GUACAMOLE-197) Implement Support for RADIUS Authentication
[ https://issues.apache.org/jira/browse/GUACAMOLE-197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15856087#comment-15856087 ] Nick Couchman commented on GUACAMOLE-197: - Got it...will just pass it through as a hidden field in the challenge/response process, unless there's a better way to do it. Having cleared that hurdle, I'm on to the next one - how to deal with the value of the state parameter in a safe way. When I look at the debug output from FreeRADIUS, the state shows up as a hexadecimal value. When I deal with it as a String in Java, it almost looks like a binary value. Tried a few rounds of converting it to an integer and dealing with it that way, but that didn't seem to work, so going to try a byte array, now, and see what happens. Only concern is trying to pass a binary value through to AngularJS and then get it back safely...fun times! > Implement Support for RADIUS Authentication > --- > > Key: GUACAMOLE-197 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-197 > Project: Guacamole > Issue Type: Improvement > Components: guacamole, guacamole-client >Affects Versions: 0.9.11-incubating >Reporter: Nick Couchman >Priority: Minor > > Working on implementing a RADIUS authentication module - > guacamole-auth-radius. The basic implementation is completed - with a basic > PAP or CHAP RADIUS server, the authentication succeeds and the user is logged > in. > I'm running into an issue, though, trying to implement Challenge/Response in > RADIUS. I have my RADIUS server configured to talk to LinOTP for MFA/2FA, > and RADIUS sends the AccessChallenge package back, asking for the second > factor. My issue is in my continual failure to grasp the connection between > the servlet side and the AngularJS web application. I've copied the Duo > authentication code and tried to morph it into something that will present > another box for the RADIUS challenge, but I can't get my controller function > to actually fire. > Once that is working, I'd like to support other RADIUS authentication > protocols, like EAP-TLS and EAP-TTLS, so there's a little more work to be > done, but right now I'm focusing on the basic protocols and the > challenge/response. > Will have a repo posted here in a moment for working on this. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (GUACAMOLE-197) Implement Support for RADIUS Authentication
[ https://issues.apache.org/jira/browse/GUACAMOLE-197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15855318#comment-15855318 ] Michael Jumper commented on GUACAMOLE-197: -- I agree. The standard describes the attribute as nothing more than an opaque session token whose content is implementation-dependent and intended to be sent to the client anyway. Storing a session token within the server so that it can be replaced with our own session token doesn't seem to buy us anything except complexity. > Implement Support for RADIUS Authentication > --- > > Key: GUACAMOLE-197 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-197 > Project: Guacamole > Issue Type: Improvement > Components: guacamole, guacamole-client >Affects Versions: 0.9.11-incubating >Reporter: Nick Couchman >Priority: Minor > > Working on implementing a RADIUS authentication module - > guacamole-auth-radius. The basic implementation is completed - with a basic > PAP or CHAP RADIUS server, the authentication succeeds and the user is logged > in. > I'm running into an issue, though, trying to implement Challenge/Response in > RADIUS. I have my RADIUS server configured to talk to LinOTP for MFA/2FA, > and RADIUS sends the AccessChallenge package back, asking for the second > factor. My issue is in my continual failure to grasp the connection between > the servlet side and the AngularJS web application. I've copied the Duo > authentication code and tried to morph it into something that will present > another box for the RADIUS challenge, but I can't get my controller function > to actually fire. > Once that is working, I'd like to support other RADIUS authentication > protocols, like EAP-TLS and EAP-TTLS, so there's a little more work to be > done, but right now I'm focusing on the basic protocols and the > challenge/response. > Will have a repo posted here in a moment for working on this. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (GUACAMOLE-197) Implement Support for RADIUS Authentication
[ https://issues.apache.org/jira/browse/GUACAMOLE-197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15855255#comment-15855255 ] Nick Couchman commented on GUACAMOLE-197: - Here's the documentation on the attribute itself from the IETF standard: https://tools.ietf.org/html/rfc2865#section-5.24 >From what I can tell reading that and some other Internet sources, the risk of >exposing the state field to the authenticating user should be minimal. My >rationale is as follows: - The state field appears to be just a session marker in the RADIUS conversation, used specifically when the authenticating system needs to provide additional information to the server, or when the RADIUS server needs to do something at termination of a connection. - There hasn't been a lot done to obfuscate or encrypt the field itself. The RADIUS protocol as a whole has developed several security measures to protect the overall transmission, but there hasn't been any focus on the state protocol specifically. - Obviously a third-party attacker being able to read the state field could use it to try to impersonate the user or intercept the connection; however, there's equally (more?) sensitive data in the payload than the state - like username and password. So, I don't think there's any harm in the person who's doing the authentication seeing the state value. > Implement Support for RADIUS Authentication > --- > > Key: GUACAMOLE-197 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-197 > Project: Guacamole > Issue Type: Improvement > Components: guacamole, guacamole-client >Affects Versions: 0.9.11-incubating >Reporter: Nick Couchman >Priority: Minor > > Working on implementing a RADIUS authentication module - > guacamole-auth-radius. The basic implementation is completed - with a basic > PAP or CHAP RADIUS server, the authentication succeeds and the user is logged > in. > I'm running into an issue, though, trying to implement Challenge/Response in > RADIUS. I have my RADIUS server configured to talk to LinOTP for MFA/2FA, > and RADIUS sends the AccessChallenge package back, asking for the second > factor. My issue is in my continual failure to grasp the connection between > the servlet side and the AngularJS web application. I've copied the Duo > authentication code and tried to morph it into something that will present > another box for the RADIUS challenge, but I can't get my controller function > to actually fire. > Once that is working, I'd like to support other RADIUS authentication > protocols, like EAP-TLS and EAP-TTLS, so there's a little more work to be > done, but right now I'm focusing on the basic protocols and the > challenge/response. > Will have a repo posted here in a moment for working on this. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (GUACAMOLE-197) Implement Support for RADIUS Authentication
[ https://issues.apache.org/jira/browse/GUACAMOLE-197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15854927#comment-15854927 ] Michael Jumper commented on GUACAMOLE-197: -- Do you know of any documentation on the "State" parameter that might cover its purpose/meaning and whether it's safe to expose to the authenticating user? > Implement Support for RADIUS Authentication > --- > > Key: GUACAMOLE-197 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-197 > Project: Guacamole > Issue Type: Improvement > Components: guacamole, guacamole-client >Affects Versions: 0.9.11-incubating >Reporter: Nick Couchman >Priority: Minor > > Working on implementing a RADIUS authentication module - > guacamole-auth-radius. The basic implementation is completed - with a basic > PAP or CHAP RADIUS server, the authentication succeeds and the user is logged > in. > I'm running into an issue, though, trying to implement Challenge/Response in > RADIUS. I have my RADIUS server configured to talk to LinOTP for MFA/2FA, > and RADIUS sends the AccessChallenge package back, asking for the second > factor. My issue is in my continual failure to grasp the connection between > the servlet side and the AngularJS web application. I've copied the Duo > authentication code and tried to morph it into something that will present > another box for the RADIUS challenge, but I can't get my controller function > to actually fire. > Once that is working, I'd like to support other RADIUS authentication > protocols, like EAP-TLS and EAP-TTLS, so there's a little more work to be > done, but right now I'm focusing on the basic protocols and the > challenge/response. > Will have a repo posted here in a moment for working on this. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (GUACAMOLE-197) Implement Support for RADIUS Authentication
[ https://issues.apache.org/jira/browse/GUACAMOLE-197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15854575#comment-15854575 ] Nick Couchman commented on GUACAMOLE-197: - Okay, making progress here, but have another question. When the RADIUS server sends back the AccessChallenge packet, it also sents a "State" parameter that needs to be saved and used to process the remainder of the authentication. So, something like this: - Send Username, Password - Receive Challenge, State - Send Username, State, Response - Receive Accept/Reject For the connection state, is the best way to do this to pass the state into the AngularJS form where the user enters the challenge response, and then somehow pass it back, or is there some way to internally add the state to the Java servlet side such that I can pick it back up and use it, again? I'd rather not pass it through the browser front-end if I don't have to - seems more secure if I can keep it all on the servlet side - but I'm not sure the best place to create that storage item. I tried to just add it to the AuthenticationProviderService class that I'm implementing in the module, but it looks like the class gets re-instantiated during the second go-around, so there isn't anything persistent there. I'm not sure if there's another session class I should use or something like that? > Implement Support for RADIUS Authentication > --- > > Key: GUACAMOLE-197 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-197 > Project: Guacamole > Issue Type: Improvement > Components: guacamole, guacamole-client >Affects Versions: 0.9.11-incubating >Reporter: Nick Couchman >Priority: Minor > > Working on implementing a RADIUS authentication module - > guacamole-auth-radius. The basic implementation is completed - with a basic > PAP or CHAP RADIUS server, the authentication succeeds and the user is logged > in. > I'm running into an issue, though, trying to implement Challenge/Response in > RADIUS. I have my RADIUS server configured to talk to LinOTP for MFA/2FA, > and RADIUS sends the AccessChallenge package back, asking for the second > factor. My issue is in my continual failure to grasp the connection between > the servlet side and the AngularJS web application. I've copied the Duo > authentication code and tried to morph it into something that will present > another box for the RADIUS challenge, but I can't get my controller function > to actually fire. > Once that is working, I'd like to support other RADIUS authentication > protocols, like EAP-TLS and EAP-TTLS, so there's a little more work to be > done, but right now I'm focusing on the basic protocols and the > challenge/response. > Will have a repo posted here in a moment for working on this. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (GUACAMOLE-197) Implement Support for RADIUS Authentication
[ https://issues.apache.org/jira/browse/GUACAMOLE-197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15854432#comment-15854432 ] Nick Couchman commented on GUACAMOLE-197: - Aha. Renaming the extension to guacamole-auth-0radius.jar did the trick and presents the box for the additional credentials. It doesn't look pretty or actually work at the moment, but it's progress. Thanks. > Implement Support for RADIUS Authentication > --- > > Key: GUACAMOLE-197 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-197 > Project: Guacamole > Issue Type: Improvement > Components: guacamole, guacamole-client >Affects Versions: 0.9.11-incubating >Reporter: Nick Couchman >Priority: Minor > > Working on implementing a RADIUS authentication module - > guacamole-auth-radius. The basic implementation is completed - with a basic > PAP or CHAP RADIUS server, the authentication succeeds and the user is logged > in. > I'm running into an issue, though, trying to implement Challenge/Response in > RADIUS. I have my RADIUS server configured to talk to LinOTP for MFA/2FA, > and RADIUS sends the AccessChallenge package back, asking for the second > factor. My issue is in my continual failure to grasp the connection between > the servlet side and the AngularJS web application. I've copied the Duo > authentication code and tried to morph it into something that will present > another box for the RADIUS challenge, but I can't get my controller function > to actually fire. > Once that is working, I'd like to support other RADIUS authentication > protocols, like EAP-TLS and EAP-TTLS, so there's a little more work to be > done, but right now I'm focusing on the basic protocols and the > challenge/response. > Will have a repo posted here in a moment for working on this. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (GUACAMOLE-197) Implement Support for RADIUS Authentication
[ https://issues.apache.org/jira/browse/GUACAMOLE-197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15854393#comment-15854393 ] Michael Jumper commented on GUACAMOLE-197: -- Guacamole queries extensions in ascending order of their filenames. If you are using multiple extensions, the first extension to return an auth failure will take priority in the event that no extension returns success, as only one error can be reported. Duo is probably working because it sorts earlier in the list, while RADIUS ends up toward the end. You may need to rename the .jar file in your GUACAMOLE_HOME/extensions/. > Implement Support for RADIUS Authentication > --- > > Key: GUACAMOLE-197 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-197 > Project: Guacamole > Issue Type: Improvement > Components: guacamole, guacamole-client >Affects Versions: 0.9.11-incubating >Reporter: Nick Couchman >Priority: Minor > > Working on implementing a RADIUS authentication module - > guacamole-auth-radius. The basic implementation is completed - with a basic > PAP or CHAP RADIUS server, the authentication succeeds and the user is logged > in. > I'm running into an issue, though, trying to implement Challenge/Response in > RADIUS. I have my RADIUS server configured to talk to LinOTP for MFA/2FA, > and RADIUS sends the AccessChallenge package back, asking for the second > factor. My issue is in my continual failure to grasp the connection between > the servlet side and the AngularJS web application. I've copied the Duo > authentication code and tried to morph it into something that will present > another box for the RADIUS challenge, but I can't get my controller function > to actually fire. > Once that is working, I'd like to support other RADIUS authentication > protocols, like EAP-TLS and EAP-TTLS, so there's a little more work to be > done, but right now I'm focusing on the basic protocols and the > challenge/response. > Will have a repo posted here in a moment for working on this. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (GUACAMOLE-197) Implement Support for RADIUS Authentication
[ https://issues.apache.org/jira/browse/GUACAMOLE-197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15854012#comment-15854012 ] Nick Couchman commented on GUACAMOLE-197: - Loaded the DUO module and verified that it throws INSUFFICIENT_CREDENTIALS correctly, so that works...something I'm doing with the RADIUS module is not quite right... > Implement Support for RADIUS Authentication > --- > > Key: GUACAMOLE-197 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-197 > Project: Guacamole > Issue Type: Improvement > Components: guacamole, guacamole-client >Affects Versions: 0.9.11-incubating >Reporter: Nick Couchman >Priority: Minor > > Working on implementing a RADIUS authentication module - > guacamole-auth-radius. The basic implementation is completed - with a basic > PAP or CHAP RADIUS server, the authentication succeeds and the user is logged > in. > I'm running into an issue, though, trying to implement Challenge/Response in > RADIUS. I have my RADIUS server configured to talk to LinOTP for MFA/2FA, > and RADIUS sends the AccessChallenge package back, asking for the second > factor. My issue is in my continual failure to grasp the connection between > the servlet side and the AngularJS web application. I've copied the Duo > authentication code and tried to morph it into something that will present > another box for the RADIUS challenge, but I can't get my controller function > to actually fire. > Once that is working, I'd like to support other RADIUS authentication > protocols, like EAP-TLS and EAP-TTLS, so there's a little more work to be > done, but right now I'm focusing on the basic protocols and the > challenge/response. > Will have a repo posted here in a moment for working on this. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (GUACAMOLE-197) Implement Support for RADIUS Authentication
[ https://issues.apache.org/jira/browse/GUACAMOLE-197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15854004#comment-15854004 ] Nick Couchman commented on GUACAMOLE-197: - Pulled out the LDAP authentication module and another development one that I'm working on, and I get the same result - somewhere along the way the INSUFFICIENT_CREDENTIALS is getting changed to INVALID_CREDENTIALS... > Implement Support for RADIUS Authentication > --- > > Key: GUACAMOLE-197 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-197 > Project: Guacamole > Issue Type: Improvement > Components: guacamole, guacamole-client >Affects Versions: 0.9.11-incubating >Reporter: Nick Couchman >Priority: Minor > > Working on implementing a RADIUS authentication module - > guacamole-auth-radius. The basic implementation is completed - with a basic > PAP or CHAP RADIUS server, the authentication succeeds and the user is logged > in. > I'm running into an issue, though, trying to implement Challenge/Response in > RADIUS. I have my RADIUS server configured to talk to LinOTP for MFA/2FA, > and RADIUS sends the AccessChallenge package back, asking for the second > factor. My issue is in my continual failure to grasp the connection between > the servlet side and the AngularJS web application. I've copied the Duo > authentication code and tried to morph it into something that will present > another box for the RADIUS challenge, but I can't get my controller function > to actually fire. > Once that is working, I'd like to support other RADIUS authentication > protocols, like EAP-TLS and EAP-TTLS, so there's a little more work to be > done, but right now I'm focusing on the basic protocols and the > challenge/response. > Will have a repo posted here in a moment for working on this. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (GUACAMOLE-197) Implement Support for RADIUS Authentication
[
https://issues.apache.org/jira/browse/GUACAMOLE-197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15853949#comment-15853949
]
Nick Couchman commented on GUACAMOLE-197:
-
Yeah, so something is not working, there. Here's the response I get back:
{noformat}
{"message":"Invalid login","translatableMessage":{"key":"Invalid
login","variables":null},"statusCode":null,"expected":[{"name":"username","type":"USERNAME"},{"name":"password","type":"PASSWORD"}],"type":"INVALID_CREDENTIALS"}
{noformat}
So, I'm guessing that the end there should be INSUFFICIENT_CREDENTIALS instead
of INVALID_CREDENTIALS? And, in the Tomcat log output, I see the following:
{noformat}
07:55:14.055 [http-nio-8080-exec-251] DEBUG
o.a.g.a.l.AuthenticationProviderService - Unable to determine DN for user
"Andy_Taylor".
07:55:14.058 [http-nio-8080-exec-251] DEBUG o.a.g.a.r.RadiusConnectionService -
Sending authentication request to radius server for user Andy_Taylor.
07:55:14.102 [http-nio-8080-exec-251] DEBUG
o.a.g.a.r.AuthenticationProviderService - RADIUS sent challenge response:
Please enter your otp value:
07:55:14.103 [http-nio-8080-exec-251] DEBUG
o.a.g.a.r.AuthenticationProviderService - RADIUS sent state: [B@3b5376ab
07:55:14.103 [http-nio-8080-exec-251] DEBUG
o.a.g.a.r.f.RadiusChallengeResponseField - Initializing the RADIUS
challenge/response field: Please enter your otp value:
07:55:14.103 [http-nio-8080-exec-251] DEBUG
o.a.g.a.f.FileAuthenticationProvider - User mapping file
"/etc/guacamole/user-mapping.xml" does not exist and will not be read.
07:55:14.103 [http-nio-8080-exec-251] WARN o.a.g.r.auth.AuthenticationService
- Authentication attempt from [10.43.112.36, 0:0:0:0:0:0:0:1] for user
"Andy_Taylor" failed.
{noformat}
I would guess that last part - authentication attempt failed - is what's
causing the JSON response to be INVALID_CREDENTIALS instead of
INSUFFICIENT_CREDENTIALS, just not sure at the moment why it's throwing that.
Maybe I'll unload some of the other authentication modules that are in my
extensions folder and see if that helps.
> Implement Support for RADIUS Authentication
> ---
>
> Key: GUACAMOLE-197
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-197
> Project: Guacamole
> Issue Type: Improvement
> Components: guacamole, guacamole-client
>Affects Versions: 0.9.11-incubating
>Reporter: Nick Couchman
>Priority: Minor
>
> Working on implementing a RADIUS authentication module -
> guacamole-auth-radius. The basic implementation is completed - with a basic
> PAP or CHAP RADIUS server, the authentication succeeds and the user is logged
> in.
> I'm running into an issue, though, trying to implement Challenge/Response in
> RADIUS. I have my RADIUS server configured to talk to LinOTP for MFA/2FA,
> and RADIUS sends the AccessChallenge package back, asking for the second
> factor. My issue is in my continual failure to grasp the connection between
> the servlet side and the AngularJS web application. I've copied the Duo
> authentication code and tried to morph it into something that will present
> another box for the RADIUS challenge, but I can't get my controller function
> to actually fire.
> Once that is working, I'd like to support other RADIUS authentication
> protocols, like EAP-TLS and EAP-TTLS, so there's a little more work to be
> done, but right now I'm focusing on the basic protocols and the
> challenge/response.
> Will have a repo posted here in a moment for working on this.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
[jira] [Commented] (GUACAMOLE-197) Implement Support for RADIUS Authentication
[ https://issues.apache.org/jira/browse/GUACAMOLE-197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15853610#comment-15853610 ] Michael Jumper commented on GUACAMOLE-197: -- First step would be to confirm via the browser's dev tools that the HTTP response from ".../api/tokens" contains JSON describing the expected credentials, which is generated automatically based on the information in the GuacamoleInsufficientCredentialsException. > Implement Support for RADIUS Authentication > --- > > Key: GUACAMOLE-197 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-197 > Project: Guacamole > Issue Type: Improvement > Components: guacamole, guacamole-client >Affects Versions: 0.9.11-incubating >Reporter: Nick Couchman >Priority: Minor > > Working on implementing a RADIUS authentication module - > guacamole-auth-radius. The basic implementation is completed - with a basic > PAP or CHAP RADIUS server, the authentication succeeds and the user is logged > in. > I'm running into an issue, though, trying to implement Challenge/Response in > RADIUS. I have my RADIUS server configured to talk to LinOTP for MFA/2FA, > and RADIUS sends the AccessChallenge package back, asking for the second > factor. My issue is in my continual failure to grasp the connection between > the servlet side and the AngularJS web application. I've copied the Duo > authentication code and tried to morph it into something that will present > another box for the RADIUS challenge, but I can't get my controller function > to actually fire. > Once that is working, I'd like to support other RADIUS authentication > protocols, like EAP-TLS and EAP-TTLS, so there's a little more work to be > done, but right now I'm focusing on the basic protocols and the > challenge/response. > Will have a repo posted here in a moment for working on this. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (GUACAMOLE-197) Implement Support for RADIUS Authentication
[ https://issues.apache.org/jira/browse/GUACAMOLE-197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15853432#comment-15853432 ] Nick Couchman commented on GUACAMOLE-197: - bq. I see that you're using GuacamoleInsufficientCredentialsException, which is the intended mechanism to report that additional credentials are needed (such as a response to a challenge). What issues are you having specifically? So, as you can see in the source code, I check the response packet, and, when I get the AccessChallenge response, I throw the GuacamoleInsufficientCredentialsException. I set up the field with the same field type specified on the AngularJS side, and pass that through to the insufficient credentials method. I've got the JS stuff set up the way I think it ought to be set up, but the controller method never actually runs, and the challenge field/template is never displayed. I'm sure it's either a simple typo or I haven't fully grasped the integration between the servlet and the Angular stuff, so I'm not sure why it isn't firing and displaying the challenge box. > Implement Support for RADIUS Authentication > --- > > Key: GUACAMOLE-197 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-197 > Project: Guacamole > Issue Type: Improvement > Components: guacamole, guacamole-client >Affects Versions: 0.9.11-incubating >Reporter: Nick Couchman >Priority: Minor > > Working on implementing a RADIUS authentication module - > guacamole-auth-radius. The basic implementation is completed - with a basic > PAP or CHAP RADIUS server, the authentication succeeds and the user is logged > in. > I'm running into an issue, though, trying to implement Challenge/Response in > RADIUS. I have my RADIUS server configured to talk to LinOTP for MFA/2FA, > and RADIUS sends the AccessChallenge package back, asking for the second > factor. My issue is in my continual failure to grasp the connection between > the servlet side and the AngularJS web application. I've copied the Duo > authentication code and tried to morph it into something that will present > another box for the RADIUS challenge, but I can't get my controller function > to actually fire. > Once that is working, I'd like to support other RADIUS authentication > protocols, like EAP-TLS and EAP-TTLS, so there's a little more work to be > done, but right now I'm focusing on the basic protocols and the > challenge/response. > Will have a repo posted here in a moment for working on this. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (GUACAMOLE-197) Implement Support for RADIUS Authentication
[
https://issues.apache.org/jira/browse/GUACAMOLE-197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15853398#comment-15853398
]
Michael Jumper commented on GUACAMOLE-197:
--
{quote}
I'll take any help getting the following things to work:
- AngularJS prompt for the RADIUS Challenge/Response
- Additional RADIUS protocols that support encryption,.certificates, and
tunneling.
{quote}
I see that you're using `GuacamoleInsufficientCredentialsException`, which is
the intended mechanism to report that additional credentials are needed (such
as a response to a challenge). What issues are you having specifically?
> Implement Support for RADIUS Authentication
> ---
>
> Key: GUACAMOLE-197
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-197
> Project: Guacamole
> Issue Type: Improvement
> Components: guacamole, guacamole-client
>Affects Versions: 0.9.11-incubating
>Reporter: Nick Couchman
>Priority: Minor
> Labels: features
>
> Working on implementing a RADIUS authentication module -
> guacamole-auth-radius. The basic implementation is completed - with a basic
> PAP or CHAP RADIUS server, the authentication succeeds and the user is logged
> in.
> I'm running into an issue, though, trying to implement Challenge/Response in
> RADIUS. I have my RADIUS server configured to talk to LinOTP for MFA/2FA,
> and RADIUS sends the AccessChallenge package back, asking for the second
> factor. My issue is in my continual failure to grasp the connection between
> the servlet side and the AngularJS web application. I've copied the Duo
> authentication code and tried to morph it into something that will present
> another box for the RADIUS challenge, but I can't get my controller function
> to actually fire.
> Once that is working, I'd like to support other RADIUS authentication
> protocols, like EAP-TLS and EAP-TTLS, so there's a little more work to be
> done, but right now I'm focusing on the basic protocols and the
> challenge/response.
> Will have a repo posted here in a moment for working on this.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
[jira] [Commented] (GUACAMOLE-197) Implement Support for RADIUS Authentication
[ https://issues.apache.org/jira/browse/GUACAMOLE-197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15853339#comment-15853339 ] Nick Couchman commented on GUACAMOLE-197: - My working branch for this issue is here: https://github.com/necouchman/incubator-guacamole-client/tree/GUACAMOLE-197 As stated before, general RADIUS support should work fine for anything that doesn't require a AccessChallenge response, or doesn't require any additional encryption configuration/certificates. Current parameters are as follows: radius-server radius-auth-port radius-acct-port radius-shared-secret radius-auth-protocol I'll take any help getting the following things to work: - AngularJS prompt for the RADIUS Challenge/Response - Additional RADIUS protocols that support encryption,.certificates, and tunneling. > Implement Support for RADIUS Authentication > --- > > Key: GUACAMOLE-197 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-197 > Project: Guacamole > Issue Type: Improvement > Components: guacamole, guacamole-client >Affects Versions: 0.9.11-incubating >Reporter: Nick Couchman >Priority: Minor > Labels: features > > Working on implementing a RADIUS authentication module - > guacamole-auth-radius. The basic implementation is completed - with a basic > PAP or CHAP RADIUS server, the authentication succeeds and the user is logged > in. > I'm running into an issue, though, trying to implement Challenge/Response in > RADIUS. I have my RADIUS server configured to talk to LinOTP for MFA/2FA, > and RADIUS sends the AccessChallenge package back, asking for the second > factor. My issue is in my continual failure to grasp the connection between > the servlet side and the AngularJS web application. I've copied the Duo > authentication code and tried to morph it into something that will present > another box for the RADIUS challenge, but I can't get my controller function > to actually fire. > Once that is working, I'd like to support other RADIUS authentication > protocols, like EAP-TLS and EAP-TTLS, so there's a little more work to be > done, but right now I'm focusing on the basic protocols and the > challenge/response. > Will have a repo posted here in a moment for working on this. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
