guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From SergeyKh <mail4ser...@gmail.com>
Subject Re: two factor auth
Date Mon, 12 Nov 2018 15:19:55 GMT
Currently, in order for 2FA to work in Guacamole, either one of two things
needs to happen:
1) A module has to specifically be written to intercept the authentication
process and force the second factor.  The TOTP module, which will be
released in 1.0.0, is designed to do exactly that, as does the
already-released Duo module.
2) The module doing the authentication has to handle some sort of
Challenge/Response conversation, where initial authentication is accepted
and additional factors are then given to the user.  The RADIUS
authentication module is currently the only one that will handle this.

but how can i enable those extensions? maven had built jar for the TOTP but
i can see no man pages how to use it. are there any?
and no jar at all for the radius extension and also no documentation.... or
i just could not find it....



сб, 10 нояб. 2018 г. в 16:33, Nick Couchman <vnick@apache.org>:

> On Sat, Nov 10, 2018 at 2:43 AM SergeyKh <mail4sergey@gmail.com> wrote:
>
>> i've already got several otp servers that can be accessed by radius and
>> i've got AD(ldap) that also can be accessed by radius. The question was how
>> to enable 2fa in guacamole so it could ask two passwords for one login from
>> two different radius services.
>>
>
> Sure, I understand, but trying to authentication Guacamole from two
> different RADIUS services is currently not possible.  The way to accomplish
> this at this point in time is to have RADIUS handle the entire
> authentication process for you, including the challenge/response (second
> factor).
>
> If might be possible to set up FreeRADIUS to front the other two RADIUS
> services (almost like a proxy) and handle the initial authentication to AD
> and then challenge/response to your 2FA RADIUS, but I've never tried to do
> that, so I can't comment on the difficulty of that configuration.
>
>
>>
>> I think that is the perfect way to have authorization process. Cisco asa,
>> citrix netscaler, vmware horizon connection server can do it this way and
>> so on. I know it's all enterprise products that costs a lot but the logic
>> is simple and it works very well so it would be just wonderful if there is
>> the way to do it in guacamole because guacamole is just unbelievable good.
>>
>
> Currently, in order for 2FA to work in Guacamole, either one of two things
> needs to happen:
> 1) A module has to specifically be written to intercept the authentication
> process and force the second factor.  The TOTP module, which will be
> released in 1.0.0, is designed to do exactly that, as does the
> already-released Duo module.
> 2) The module doing the authentication has to handle some sort of
> Challenge/Response conversation, where initial authentication is accepted
> and additional factors are then given to the user.  The RADIUS
> authentication module is currently the only one that will handle this.
>
>
>>
>> By the way linotp does not have easy radius integration. Rcdevs (free for
>> 40 users) does and works well and it's got push to it's own mobile app.
>>
>>
> Actually, from experience, configuring RADIUS to authenticate from LinOTP
> is relatively easy.  I've set it up three separate times, including once in
> a 500-employee production environment, and, while I will admin it isn't
> without its gotchas, it isn't all that difficult.  Furthermore, LinOTP +
> FreeRADIUS is completely open source and free for as many users as you'd
> like.  LinOTP also has appliance-type options you can purchase from them
> that have all of that functionality integrated if you aren't up to doing it
> yourself.  I'm not familiar at all with Rcdevs, so I cannot comment on
> that, but I have read-world experience with LinOTP + FreeRADIUS and it
> didn't take very much work to get it going.
>
> However, I do understand if you already have your existing RADIUS
> environment configured that ripping and replacing may not be an option.  I
> was just offering an alternative that I have personally implemented and
> know works well.
>
> -Nick
>
>>

Mime
View raw message