Nick hey thanks for the info.  In the past I have done LDAP/Radius for 2FA so I was going off of history.  If we can make it work that’s awesome.  The reason I am citing multiOTP is I have it setup in my environment already for some simple 2FA.  I would prefer my users to not have to have another token to auth Guacamole.  By using multiOTP they have one token to auth into the whole environment.  I will dig up some more information on multiOTP and see if I can find any documentation on the radius module.  I am running bleeding edge.  I installed it last night and it seems to be working ok. 






From: Nick Couchman []
Sent: Friday, April 6, 2018 9:40 AM
Subject: Re: Extension Questions


On Fri, Apr 6, 2018 at 8:59 AM, Fertig, Brian <> wrote:



  Im looking to setup Guacamole for 2FA.  I have setup multiOTP and would like to see if its possible to have Guacamole use LDAP for user component and then multiOTP (radius) for the 2nd factor piece.  Is this possible?  Can someone direct me to documentation on how to setup the environment this way?   I have the documentation for LDAP just looking for radius/TOTP documentation.



The RADIUS extension has not been officially released, yet, so the documentation is not on the web site.  You can check out the latest guacamole-client git repo and build it with the "-Plgpl-extensions" flag to build the RADIUS module.  If you do that you'll also need to check out the latest guacamole-server code and build and use that.  We're actively working toward a 1.0.0 release, which will include this (and many, many more) changes.  If you need the documentation for the RADIUS module you'll need to check out the guacamole-manual git repo and build that manual, and you can find the documentation for RADIUS.


However, I will caution that, based on what you've said, I don't think LDAP + RADIUS is actually what you want to do.  The way I tested 2FA with RADIUS in Guacamole was using LinOTP + FreeRADIUS, and the authentication was done entirely through RADIUS.  If you're looking to add a second factor to LDAP authentication for Guacamole, and you want to do it through something like multiOTP, you probably want to set up multiOTP to authenticate first with LDAP and then move on to the second factor - if you rely on Guacamole to do both LDAP and RADIUS, LDAP is going to succeed and log the user in and won't know to move on to RADIUS.


Alternatively you can use the recently-merged guacamole-auth-totp module to do this inside Guacamole, and you should be able to layer the modules such that LDAP can do the primary authentication and then the TOTP module will prompt for the second factor.  I think Mike is still working documentation for this module, so you'll have to go back through the mailing list and find documentation on how to use it, but it should eliminate the need to do RADIUS authentication for Guacamole unless you're using RADIUS for other stuff in your environment.



The information contained in this message may be confidential and legally protected under applicable law. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message.