guacamole-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nick Couchman (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (GUACAMOLE-197) Implement Support for RADIUS Authentication
Date Mon, 06 Feb 2017 13:02:41 GMT

    [ https://issues.apache.org/jira/browse/GUACAMOLE-197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15853949#comment-15853949
] 

Nick Couchman commented on GUACAMOLE-197:
-----------------------------------------

Yeah, so something is not working, there.  Here's the response I get back:
{noformat}
{"message":"Invalid login","translatableMessage":{"key":"Invalid login","variables":null},"statusCode":null,"expected":[{"name":"username","type":"USERNAME"},{"name":"password","type":"PASSWORD"}],"type":"INVALID_CREDENTIALS"}
{noformat}

So, I'm guessing that the end there should be INSUFFICIENT_CREDENTIALS instead of INVALID_CREDENTIALS?
 And, in the Tomcat log output, I see the following:
{noformat}
07:55:14.055 [http-nio-8080-exec-251] DEBUG o.a.g.a.l.AuthenticationProviderService - Unable
to determine DN for user "Andy_Taylor".
07:55:14.058 [http-nio-8080-exec-251] DEBUG o.a.g.a.r.RadiusConnectionService - Sending authentication
request to radius server for user Andy_Taylor.
07:55:14.102 [http-nio-8080-exec-251] DEBUG o.a.g.a.r.AuthenticationProviderService - RADIUS
sent challenge response: Please enter your otp value:
07:55:14.103 [http-nio-8080-exec-251] DEBUG o.a.g.a.r.AuthenticationProviderService - RADIUS
sent state: [B@3b5376ab
07:55:14.103 [http-nio-8080-exec-251] DEBUG o.a.g.a.r.f.RadiusChallengeResponseField - Initializing
the RADIUS challenge/response field: Please enter your otp value:
07:55:14.103 [http-nio-8080-exec-251] DEBUG o.a.g.a.f.FileAuthenticationProvider - User mapping
file "/etc/guacamole/user-mapping.xml" does not exist and will not be read.
07:55:14.103 [http-nio-8080-exec-251] WARN  o.a.g.r.auth.AuthenticationService - Authentication
attempt from [10.43.112.36, 0:0:0:0:0:0:0:1] for user "Andy_Taylor" failed.
{noformat}

I would guess that last part - authentication attempt failed - is what's causing the JSON
response to be INVALID_CREDENTIALS instead of INSUFFICIENT_CREDENTIALS, just not sure at the
moment why it's throwing that.  Maybe I'll unload some of the other authentication modules
that are in my extensions folder and see if that helps. 

> Implement Support for RADIUS Authentication
> -------------------------------------------
>
>                 Key: GUACAMOLE-197
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-197
>             Project: Guacamole
>          Issue Type: Improvement
>          Components: guacamole, guacamole-client
>    Affects Versions: 0.9.11-incubating
>            Reporter: Nick Couchman
>            Priority: Minor
>
> Working on implementing a RADIUS authentication module - guacamole-auth-radius.  The
basic implementation is completed - with a basic PAP or CHAP RADIUS server, the authentication
succeeds and the user is logged in.
> I'm running into an issue, though, trying to implement Challenge/Response in RADIUS.
 I have my RADIUS server configured to talk to LinOTP for MFA/2FA, and RADIUS sends the AccessChallenge
package back, asking for the second factor.  My issue is in my continual failure to grasp
the connection between the servlet side and the AngularJS web application.  I've copied the
Duo authentication code and tried to morph it into something that will present another box
for the RADIUS challenge, but I can't get my controller function to actually fire.
> Once that is working, I'd like to support other RADIUS authentication protocols, like
EAP-TLS and EAP-TTLS, so there's a little more work to be done, but right now I'm focusing
on the basic protocols and the challenge/response.
> Will have a repo posted here in a moment for working on this.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message