hi Christian:
We have been using ldap + CAS for a long time,Recently wanted to add
two-factor authentication(LDAP + Raduis-mfa)
But ldap authentication is ok, redirecting to logging succuss page,
without show radius token password page?
Can u help checkout my configure? Thx
application.properties:
cas.authn.mfa.radius.server.nasPortId=-1
cas.authn.mfa.radius.server.nasRealPort=-1
cas.authn.mfa.radius.server.protocol=EAP_MSCHAPv2
cas.authn.mfa.radius.server.retries=3
cas.authn.mfa.radius.server.nasPortType=-1
cas.authn.mfa.radius.server.nasPort=-1
cas.authn.mfa.radius.server.nasIpAddress=
cas.authn.mfa.radius.server.nasIpv6Address=
cas.authn.mfa.radius.server.nasIdentifier=-1
cas.authn.mfa.radius.client.authenticationPort=1812
cas.authn.mfa.radius.client.sharedSecret=xxxxxx
cas.authn.mfa.radius.client.socketTimeout=0
cas.authn.mfa.radius.client.inetAddress=172.x.x.x
cas.authn.mfa.radius.client.accountingPort=1813
cas.authn.radius.failoverOnException=false
cas.authn.radius.failoverOnAuthenticationFailure=false
pom.xml
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-ldap</artifactId>
<version>${cas.version}</version>
</dependency>
<dependency>
<groupId>org.apereo.cas</groupId>
<artifactId>cas-server-support-radius-mfa</artifactId>
<version>5.3.0-RC4</version>
</dependency>
在 2018年7月19日星期四 UTC+8下午2:52:01,Christian Blich写道:
>
> We are trying to upgrade our CAS from version 2.0 to 5.2 / 5.3 and have
> LDAP authentication up and running, and have Radius working as well, but
> CAS will first ask for username and password to login into the LDAP, then
> ask for the same password to call Radius, and then SMS code.The middle step
> we want to get rid of, So is it possible to make the login to the radius
> reuse username and password from LDAP?
>
> In the end we want one of the following combinations:
>
> 1. LDAP authentication for username and password, then Radius OTP SMS
> password when the risk is at the certain level.
> 2. Radius authentication and then enrich the user login with info from
> LDAP, but don't looks like the Radius is receiving other information on the
> user other than username and password.
>
>
> The reason is that we want to use SMS as a two factor validation in risk
> situations, when f.ex. some body given out they username and password in
> phissing attempts. But in general we want the LDAP to be the login
> validator. We already use a supplier with radius to handle our VPN login
> with multifactor, but for test purpose have made our own simpel radius
> server.
>
>
>
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/562e636e-f894-4938-8b39-ea0d696319ec%40apereo.org.
