Here is some additional information about the issue I am seeing with CAS
not accepting Duo bypass.
Here are the responses from Duo for each kind of authentication.
Bypass (Not Working)
2018-08-15 09:12:38,663 DEBUG [BaseDuoSecurityAuthenticationService] - <
Contacting Duo to inquire about username [klintduotest]>
2018-08-15 09:12:38,921 DEBUG [BaseDuoSecurityAuthenticationService] - <
Received Duo admin response [{"response": {"result": "allow", "status_msg":
"Logging
you in automatically..."}, "stat": "OK"}]>
2018-08-15 09:12:38,921 DEBUG [DefaultDuoMultifactorAuthenticationProvider]
- <Found duo user account status [org.apereo.cas.adaptors.duo.
DuoUserAccount@49754dc2[status=ALLOW,enrollPortalUrl=<null>]] for [
klintduotest]>
2018-08-15 09:12:38,921 DEBUG [DefaultDuoMultifactorAuthenticationProvider]
- <Account status is set for allow/bypass for [klintduotest]>
Normal User not in bypass by Duo:
2018-08-15 09:13:27,126 DEBUG [BaseDuoSecurityAuthenticationService] - <
Contacting Duo to inquire about username [klintholmes]>
2018-08-15 09:13:27,222 DEBUG [BaseDuoSecurityAuthenticationService] - <
Received Duo admin response [{"response": {"devices": REMOVED}>
2018-08-15 09:13:27,222 DEBUG [DefaultDuoMultifactorAuthenticationProvider]
- <Found duo user account status [org.apereo.cas.adaptors.duo.
DuoUserAccount@a0af2d9[status=AUTH,enrollPortalUrl=<null>]] for [klintholmes
]>
2018-08-15 09:13:27,222 DEBUG [BaseDuoSecurityAuthenticationService] - <
Contacting Duo to inquire about username [klintholmes]>
2018-08-15 09:13:27,335 DEBUG [BaseDuoSecurityAuthenticationService] - <
Received Duo admin response [{"response": {"devices": REMOVED}>
2018-08-15 09:13:27,335 DEBUG [DefaultDuoMultifactorAuthenticationProvider]
- <Found duo user account status [org.apereo.cas.adaptors.duo.
DuoUserAccount@5e565608[status=AUTH,enrollPortalUrl=<null>]] for [
klintholmes]>
2018-08-15 09:13:27,336 DEBUG [BaseDuoSecurityAuthenticationService] - <
Contacting Duo to inquire about username [klintholmes]>
2018-08-15 09:13:27,424 DEBUG [BaseDuoSecurityAuthenticationService] - <
Received Duo admin response [{"response": {"devices": REMOVED}>
2018-08-15 09:13:39,281 DEBUG [BasicDuoSecurityAuthenticationService] - <
Calling DuoWeb.verifyResponse with signed request token
'[AUTH|REMOVED|REMOVED|REMOVED|REMOVED'>
2018-08-15 09:13:39,281 DEBUG [DuoAuthenticationHandler] - <Response from
Duo verify: [klintholmes]>
2018-08-15 09:13:39,281 INFO [DuoAuthenticationHandler] - <Successful Duo
authentication for [klintholmes]>
2018-08-15 09:13:39,281 INFO [PolicyBasedAuthenticationManager] - <
Authenticated principal [klintholmes] with attributes [{}] via credentials
[[[username=klintholmes,signedDuoResponse=AUTH|REMOVED|REMOVED|REMOVED|
REMOVED]]].>
On Tuesday, August 14, 2018 at 9:42:54 AM UTC-6, Klint Holmes wrote:
>
> I am seeing an issue in CAS version 5.2.4 and above. I was not seeing the
> issue in version 5.0.5 which I upgraded from.
> If a user is in bypass on the Duo website, CAS returns and error about
> INVALID_AUTHENTICATION_CONTEXT, but if the it should just let the user
> throgh.
>
>
> CAS Info:
>
> CAS Version: 5.2.4
> CAS Commit Id: 67d7e128955437619534b5af4819f2379b934353
> CAS Build Date/Time: 2018-04-13T21:46:16Z
> Spring Boot Version: 1.5.12.RELEASE
> ------------------------------------------------------------
> Java Home: /usr/lib/jvm/java-8-openjdk-amd64/jre
> Java Vendor: Oracle Corporation
> Java Version: 1.8.0_181
> JVM Free Memory: 95 MB
> JVM Maximum Memory: 990 MB
> JVM Total Memory: 213 MB
> JCE Installed: Yes
> ------------------------------------------------------------
> OS Architecture: amd64
> OS Name: Linux
> OS Version: 4.4.0-130-generic
> OS Date/Time: 2018-08-14T09:22:13.889
> OS Temp Directory: /tmp/tomcat8-tomcat8-tmp
> ------------------------------------------------------------
>
>
> Here are the logs of a login of a user that is in bypass on the Duo side:
>
> 2018-08-14 09:23:09,480 INFO [PolicyBasedAuthenticationManager] - <
> Authenticated principal [klintduotest] with attributes [{displayName=[
> klintduotest], GOBTPAC_EXTERNAL_USER=[klintduotest], memberOf=[CN=
> auth_duoOU=groups,DC=example,DC=com], msDS-UserPasswordExpiryTimeComputed
> =[132094270306397245], pwdLastSet=[131778046306397245], sAMAccountName=[
> klintduotest]}] via credentials [[klintduotest]].>
> 2018-08-14 09:23:09,481 INFO [Slf4jLoggingAuditTrailManager] - <Audit
> trail record BEGIN
> =============================================================
> WHO: klintduotest
> WHAT: Supplied credentials: [klintduotest]
> ACTION: AUTHENTICATION_SUCCESS
> APPLICATION: CAS
> WHEN: Tue Aug 14 09:23:09 MDT 2018
> CLIENT IP ADDRESS: 192.168.1.176
> SERVER IP ADDRESS: 192.168.1.25
> =============================================================
>
> >
> 2018-08-14 09:23:09,786 INFO [Slf4jLoggingAuditTrailManager] - <Audit
> trail record BEGIN
> =============================================================
> WHO: klintduotest
> WHAT: [event=mfa-duo,timestamp=Tue Aug 14 09:23:09 MDT 2018,source=
> RegisteredServicePrincipalAttributeMultifactorAuthenticationPolicyEventResolver
> ]
> ACTION: AUTHENTICATION_EVENT_TRIGGERED
> APPLICATION: CAS
> WHEN: Tue Aug 14 09:23:09 MDT 2018
> CLIENT IP ADDRESS: 192.168.1.176
> SERVER IP ADDRESS: 192.168.1.25
> =============================================================
>
> >
> 2018-08-14 09:23:10,198 INFO [Slf4jLoggingAuditTrailManager] - <Audit
> trail record BEGIN
> =============================================================
> WHO: klintduotest
> WHAT: TGT-1-*********************************************************
> H4tIURR-L4-te-casdev1
> ACTION: TICKET_GRANTING_TICKET_CREATED
> APPLICATION: CAS
> WHEN: Tue Aug 14 09:23:10 MDT 2018
> CLIENT IP ADDRESS: 192.168.1.176
> SERVER IP ADDRESS: 192.168.1.25
> =============================================================
>
> >
> 2018-08-14 09:23:10,255 INFO [DefaultCentralAuthenticationService] - <
> Granted ticket [ST-1-Fetae-ngqx0SA86AFbVFmdkssFM-te-casdev1] for service [
> https://hadoopdev1.weber.edu/casdev1/] and principal [klintduotest]>
> 2018-08-14 09:23:10,256 INFO [Slf4jLoggingAuditTrailManager] - <Audit
> trail record BEGIN
> =============================================================
> WHO: klintduotest
> WHAT: ST-1-Fetae-ngqx0SA86AFbVFmdkssFM-te-casdev1 for
> https://hadoopdev1.weber.edu/casdev1/
> ACTION: SERVICE_TICKET_CREATED
> APPLICATION: CAS
> WHEN: Tue Aug 14 09:23:10 MDT 2018
> CLIENT IP ADDRESS: 192.168.1.176
> SERVER IP ADDRESS: 192.168.1.25
> =============================================================
>
> >
> 2018-08-14 09:23:10,382 INFO [Slf4jLoggingAuditTrailManager] - <Audit
> trail record BEGIN
> =============================================================
> WHO: klintduotest
> WHAT: ST-1-Fetae-ngqx0SA86AFbVFmdkssFM-te-casdev1
> ACTION: SERVICE_TICKET_VALIDATED
> APPLICATION: CAS
> WHEN: Tue Aug 14 09:23:10 MDT 2018
> CLIENT IP ADDRESS: 192.168.1.35
> SERVER IP ADDRESS: 192.168.1.25
> =============================================================
>
> >
> 2018-08-14 09:23:10,393 WARN [DefaultAuthenticationContextValidator] - <No
> satisfied multifactor authentication providers are recorded in the
> current authentication context.>
>
>
> CAS Response:
>
> <cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
> <cas:authenticationFailure code="INVALID_AUTHENTICATION_CONTEXT">The
> validation request for
> ['ST-1-Fetae-ngqx0SA86AFbVFmdkssFM-te-casdev1'] cannot be
> satisfied. The request is either unrecognized or unfulfilled.
> </cas:authenticationFailure>
> </cas:serviceResponse>
>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/da14def1-0f72-4d2b-8e99-c38a327769e8%40apereo.org.
