See,
https://apereo.github.io/cas/6.0.x/mfa/Configuring-Multifactor-Authentication.html#failure-mode-by-registered-service
for an example.
If you use the service management application, there is a tab for MFA.
Ray
On Thu, 2019-06-20 at 18:06 -0700, 李朝林 wrote:
Hi robin
How to set MFA for my service(s)? set cas configuration or radius device?
Thx!
在 2019年6月20日星期四 UTC+8下午11:21:16,rbon写道:
You also have to set MFA for your service(s).
Ray
On Wed, 2019-06-19 at 18:21 -0700, 李朝林 wrote:
hi Christian:
We have been using ldap + CAS for a long time,Recently wanted to add
two-factor authentication(LDAP + Raduis-mfa)
But ldap authentication is ok, redirecting to logging succuss page, without
show radius token password page?
Can u help checkout my configure? Thx
application.properties:
cas.authn.mfa.radius.server.
nasPortId
=
-1
cas.authn.mfa.radius.server.
nasRealPort
=
-1
cas.authn.mfa.radius.server.
protocol
=
EAP_MSCHAPv2
cas.authn.mfa.radius.server.
retries
=
3
cas.authn.mfa.radius.server.
nasPortType
=
-1
cas.authn.mfa.radius.server.
nasPort
=
-1
cas.authn.mfa.radius.server.
nasIpAddress
=
cas.authn.mfa.radius.server.
nasIpv6Address
=
cas.authn.mfa.radius.server.
nasIdentifier
=
-1
cas.authn.mfa.radius.client.
authenticationPort
=
1812
cas.authn.mfa.radius.client.
sharedSecret
=
xxxxxx
cas.authn.mfa.radius.client.
socketTimeout
=
0
cas.authn.mfa.radius.client.
inetAddress
=
172.x.x.x
cas.authn.mfa.radius.client.
accountingPort
=
1813
cas.authn.radius.
failoverOnException
=
false
cas.authn.radius.
failoverOnAuthenticationFailur
e
=
false
pom.xml
<dependency>
<groupId>
org.apereo.cas
</
groupId>
<artifactId>
cas-server-
support-ldap
</artifactId>
<version>
${cas.version}
</
version>
</dependency>
<dependency>
<groupId>
org.apereo.cas
</
groupId>
<artifactId>
cas-server-
support-radius-mfa
</
artifactId>
<version>
5.3.0-RC4
</version>
</dependency>
在 2018年7月19日星期四 UTC+8下午2:52:01,Christian Blich写道:
We are trying to upgrade our CAS from version 2.0 to 5.2 / 5.3 and have LDAP
authentication up and running, and have Radius working as well, but CAS will
first ask for username and password to login into the LDAP, then ask for the
same password to call Radius, and then SMS code.The middle step we want to get
rid of, So is it possible to make the login to the radius reuse username and
password from LDAP?
In the end we want one of the following combinations:
1. LDAP authentication for username and password, then Radius OTP SMS password
when the risk is at the certain level.
2. Radius authentication and then enrich the user login with info from LDAP,
but don't looks like the Radius is receiving other information on the user
other than username and password.
The reason is that we want to use SMS as a two factor validation in risk
situations, when f.ex. some body given out they username and password in
phissing attempts. But in general we want the LDAP to be the login validator.
We already use a supplier with radius to handle our VPN login with multifactor,
but for test purpose have made our own simpel radius server.
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | [email protected]<javascript:>
I respectfully acknowledge that my place of work is located within the
ancestral, traditional and unceded territory of the Songhees, Esquimalt and
WSÁNEĆ Nations.
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | [email protected]<mailto:[email protected]>
I respectfully acknowledge that my place of work is located within the
ancestral, traditional and unceded territory of the Songhees, Esquimalt and
WSÁNEĆ Nations.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/545f47b580134d3c6f2d1593b48042479ffd82e3.camel%40uvic.ca.
