guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Couchman <>
Subject Re: two factor auth
Date Sat, 10 Nov 2018 13:33:36 GMT
On Sat, Nov 10, 2018 at 2:43 AM SergeyKh <> wrote:

> i've already got several otp servers that can be accessed by radius and
> i've got AD(ldap) that also can be accessed by radius. The question was how
> to enable 2fa in guacamole so it could ask two passwords for one login from
> two different radius services.

Sure, I understand, but trying to authentication Guacamole from two
different RADIUS services is currently not possible.  The way to accomplish
this at this point in time is to have RADIUS handle the entire
authentication process for you, including the challenge/response (second

If might be possible to set up FreeRADIUS to front the other two RADIUS
services (almost like a proxy) and handle the initial authentication to AD
and then challenge/response to your 2FA RADIUS, but I've never tried to do
that, so I can't comment on the difficulty of that configuration.

> I think that is the perfect way to have authorization process. Cisco asa,
> citrix netscaler, vmware horizon connection server can do it this way and
> so on. I know it's all enterprise products that costs a lot but the logic
> is simple and it works very well so it would be just wonderful if there is
> the way to do it in guacamole because guacamole is just unbelievable good.

Currently, in order for 2FA to work in Guacamole, either one of two things
needs to happen:
1) A module has to specifically be written to intercept the authentication
process and force the second factor.  The TOTP module, which will be
released in 1.0.0, is designed to do exactly that, as does the
already-released Duo module.
2) The module doing the authentication has to handle some sort of
Challenge/Response conversation, where initial authentication is accepted
and additional factors are then given to the user.  The RADIUS
authentication module is currently the only one that will handle this.

> By the way linotp does not have easy radius integration. Rcdevs (free for
> 40 users) does and works well and it's got push to it's own mobile app.
Actually, from experience, configuring RADIUS to authenticate from LinOTP
is relatively easy.  I've set it up three separate times, including once in
a 500-employee production environment, and, while I will admin it isn't
without its gotchas, it isn't all that difficult.  Furthermore, LinOTP +
FreeRADIUS is completely open source and free for as many users as you'd
like.  LinOTP also has appliance-type options you can purchase from them
that have all of that functionality integrated if you aren't up to doing it
yourself.  I'm not familiar at all with Rcdevs, so I cannot comment on
that, but I have read-world experience with LinOTP + FreeRADIUS and it
didn't take very much work to get it going.

However, I do understand if you already have your existing RADIUS
environment configured that ripping and replacing may not be an option.  I
was just offering an alternative that I have personally implemented and
know works well.



View raw message