guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Jumper <>
Subject Re: Radius
Date Tue, 17 Apr 2018 19:07:43 GMT
On Tue, Apr 17, 2018 at 7:08 AM, Nick Couchman <> wrote:

> On Tue, Apr 17, 2018 at 12:15 AM, Mike Jumper <>
> wrote:
>> On Mon, Apr 16, 2018 at 7:27 PM, Fertig, Brian <>
>> wrote:
>>> Mike,
>>>   Once again you and your team are awesome!
>> Thanks, but to be clear: Apache Guacamole is developed by a community,
>> not by any individual's team.
>> So I have mysql then failover to radius setup for authentication.  By
>>> leaving mysql 1st and the user trying to authenticate its not going to
>>> cause conflicts is it?
>> No, this shouldn't conflict. All extensions will be polled during the
>> authentication process. If any authentication attempt succeeds, that
>> successful attempt is used to identify the user to all other installed
>> extensions. If all attempts fail, then the first failed attempt determines
>> the nature of the login screen presented to the user.
> I did see an issue, at one point, where the RADIUS module needed to be
> loaded before other modules in order to work.  I don't remember the
> specific circumstances, but it seems like if authentication failed for a
> user in one of the previous modules the RADIUS module would not even been
> evaluated.  I don't know if this is a bug that should be addressed or just
> an artifact of how the module stacking works with RADIUS, but, if you run
> into issues with this, you might try renaming the RADIUS authentication
> module and reloading Guacamole Client (Tomcat) so that it loads the RADIUS
> module, first.  In my case, I just put a 0 in front of radius -
> guacamole-auth-0-radius.jar - to force it to authenticate with that
> extension before the others.

I'm not sure what might be happening to produce that result. The relevant
code handling that part of the auth process is:

Each auth provider is tried, in order, with any successful result
overriding the error results of all other auth providers. If no result is
successful, then the first authentication-related exception is rethrown,
defaulting to a standard username/password prompt if there aren't any
explicit failures.

Any non-authentication exception will immediately halt the process, though.

- Mike

View raw message