guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Fertig, Brian" <brian.fer...@philips.com>
Subject RE: Extension Questions
Date Fri, 06 Apr 2018 17:11:55 GMT
Nick hey thanks for the info.  In the past I have done LDAP/Radius for 2FA so I was going off
of history.  If we can make it work that’s awesome.  The reason I am citing multiOTP is
I have it setup in my environment already for some simple 2FA.  I would prefer my users to
not have to have another token to auth Guacamole.  By using multiOTP they have one token to
auth into the whole environment.  I will dig up some more information on multiOTP and see
if I can find any documentation on the radius module.  I am running bleeding edge.  I installed
it last night and it seems to be working ok.


Brian


From: Nick Couchman [mailto:vnick@apache.org]
Sent: Friday, April 6, 2018 9:40 AM
To: user@guacamole.apache.org
Subject: Re: Extension Questions

On Fri, Apr 6, 2018 at 8:59 AM, Fertig, Brian <brian.fertig@philips.com<mailto:brian.fertig@philips.com>>
wrote:
Greetings!

  Im looking to setup Guacamole for 2FA.  I have setup multiOTP and would like to see if its
possible to have Guacamole use LDAP for user component and then multiOTP (radius) for the
2nd factor piece.  Is this possible?  Can someone direct me to documentation on how to setup
the environment this way?   I have the documentation for LDAP just looking for radius/TOTP
documentation.


The RADIUS extension has not been officially released, yet, so the documentation is not on
the web site.  You can check out the latest guacamole-client git repo and build it with the
"-Plgpl-extensions" flag to build the RADIUS module.  If you do that you'll also need to check
out the latest guacamole-server code and build and use that.  We're actively working toward
a 1.0.0 release, which will include this (and many, many more) changes.  If you need the documentation
for the RADIUS module you'll need to check out the guacamole-manual git repo and build that
manual, and you can find the documentation for RADIUS.

However, I will caution that, based on what you've said, I don't think LDAP + RADIUS is actually
what you want to do.  The way I tested 2FA with RADIUS in Guacamole was using LinOTP + FreeRADIUS,
and the authentication was done entirely through RADIUS.  If you're looking to add a second
factor to LDAP authentication for Guacamole, and you want to do it through something like
multiOTP, you probably want to set up multiOTP to authenticate first with LDAP and then move
on to the second factor - if you rely on Guacamole to do both LDAP and RADIUS, LDAP is going
to succeed and log the user in and won't know to move on to RADIUS.

Alternatively you can use the recently-merged guacamole-auth-totp module to do this inside
Guacamole, and you should be able to layer the modules such that LDAP can do the primary authentication
and then the TOTP module will prompt for the second factor.  I think Mike is still working
documentation for this module, so you'll have to go back through the mailing list and find
documentation on how to use it, but it should eliminate the need to do RADIUS authentication
for Guacamole unless you're using RADIUS for other stuff in your environment.

-Nick

________________________________
The information contained in this message may be confidential and legally protected under
applicable law. The message is intended solely for the addressee(s). If you are not the intended
recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction
of this message is strictly prohibited and may be unlawful. If you are not the intended recipient,
please contact the sender by return e-mail and destroy all copies of the original message.
Mime
View raw message