guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From SergeyKh <mail4ser...@gmail.com>
Subject Re: two factor auth
Date Thu, 15 Nov 2018 08:47:23 GMT
Mike, thanks.
but now i need your help...

i've configured guacamole's radius extension to communicate with freeradius
proxy as described here -
https://wiki.freeradius.org/guide/2FA-Active-Directory-plus-Proxy
 so additional freeradius asks for login/password from my AD via LDAP and
then it asks OTP from my RcDevs OTP server via radius. and it works! i can
see success-auth logs everywhere
 and even catalina.out tells me:
 [http-nio-8080-exec-4] INFO  o.a.g.r.auth.AuthenticationService - User
"my-ad-login-name-here" successfully authenticated from my-ip-address
but my browser says:
An error has occurred and this action cannot be completed. If the problem
persists, please notify your system administrator or check your system logs.
so what system logs should i check?

ps i do not have sql server configured so i do not have any connections.
but it was not problem when i was playing with ldap-auth-extension




пн, 12 нояб. 2018 г. в 19:23, Mike Jumper <mjumper@apache.org>:

> On Mon, Nov 12, 2018, 08:02 SergeyKh <mail4sergey@gmail.com wrote:
>
>> oh i see. thank you very much.
>> do you any have plans to make some kind of flexible authorization that
>> could use one or two authorization sources like radius?
>>  ldap+radius or radius+radius or local-sql+radius
>> ?
>>
>
> Guacamole does already do this. Once the user has been authenticated, each
> extension is polled to authorize that user for the resources provided by
> that extension, if any. There can be only one source of identity, but all
> other extensions have the option to further verify, ignore, or veto that
> identification.
>
> Based on your past emails to this list, I don't think what you're looking
> for is multiple sources of authorization (which Guacamole does provide) or
> multiple sources of authentication (which Guacamole also provides), but
> rather allowing RADIUS to function as an additional authentication factor
> rather than the first factor.
>
> There are no current plans to modify the RADIUS support to allow it to
> function as an additional factor on top of other authentication mechanisms.
> If this truly is a standard arrangement - RADIUS serving as a
> second/third/etc. factor on top of whatever source has provided the base
> authentication, then I'm sure there will be such plans, though we'd need to
> see some documentation of that standard use. I'm not personally familiar
> enough with RADIUS to judge either way at the moment.
>
> - Mike
>
>

Mime
View raw message