cas.authn.mfa.radius.client.inetAddress=127.0.0.1 Test is OK
cas.authn.mfa.radius.client.inetAddress=127.0.0.2 Test is OK
cas.authn.mfa.radius.client.inetAddress=127.0.0.1,127.0.0.2 I encountered
host or service name not found exception
at the same time i read cas source code, i can't found where to parse '
cas.authn.mfa.radius.client.inetAddress' to create multi radius servive to
ensure failoverException, just regard '127.0.0.1,127.0.0.2' as one raduis
service address (5.3.4-RC)
@RefreshScope
@Bean
public List<RadiusServer> radiusTokenServers() {
final List<RadiusServer> list = new ArrayList<>();
final RadiusClientProperties client =
casProperties.getAuthn().getMfa().getRadius().getClient();
final RadiusServerProperties server =
casProperties.getAuthn().getMfa().getRadius().getServer();
final RadiusClientFactory factory = new
RadiusClientFactory(client.getAccountingPort(), client.getAuthenticationPort()
, client.getSocketTimeout(), client.getInetAddress(),
client.getSharedSecret());
final RadiusProtocol protocol =
RadiusProtocol.valueOf(server.getProtocol());
final JRadiusServerImpl impl = new JRadiusServerImpl(protocol, factory,
server.getRetries(),
server.getNasIpAddress(), server.getNasIpv6Address(),
server.getNasPort(), server.getNasPortId(),
server.getNasIdentifier(), server.getNasRealPort());
list.add(impl);
return list;
}
在 2019年7月19日星期五 UTC+8上午12:04:55,rbon写道:
>
> It looks like CAS is unable to connect/find those hosts.
> Could it be that only one address is allowed for the radius client?
>
> Remove one of the hosts and try again.
>
> If there is still a problem, then it is most likely a network/firewall
> issue.
>
> Ray
>
> On Wed, 2019-07-17 at 19:01 -0700, 李朝林 wrote:
>
> Hi debug log as follow, thx!
> [image: 20190718095523.jpg]
>
>
>
> 在 2019年7月18日星期四 UTC+8上午12:00:22,rbon写道:
>
> Post some debug logs. Sometimes the problem is identified in another
> location.
>
> Ray
>
> On Wed, 2019-07-17 at 07:40 -0700, 李朝林 wrote:
>
> Ray Thx very much, i encountered another problem, my system contain more
> addresses, configuration is as follow:
> cas.authn.mfa.radius.client.inetAddress=127.0.0.1,127.0.0.2
> the raduis server parse inetAddress error, hostname not found exception
>
> 在 2019年6月21日星期五 UTC+8下午11:22:37,rbon写道:
>
> See,
> https://apereo.github.io/cas/6.0.x/mfa/Configuring-Multifactor-Authentication.html#failure-mode-by-registered-service
>
> for an example.
> If you use the service management application, there is a tab for MFA.
>
> Ray
>
> On Thu, 2019-06-20 at 18:06 -0700, 李朝林 wrote:
>
>
> Hi robin
> How to set MFA for my service(s)? set cas configuration or radius
> device?
> Thx!
>
> 在 2019年6月20日星期四 UTC+8下午11:21:16,rbon写道:
>
> You also have to set MFA for your service(s).
>
> Ray
>
> On Wed, 2019-06-19 at 18:21 -0700, 李朝林 wrote:
>
> hi Christian:
> We have been using ldap + CAS for a long time,Recently wanted to add
> two-factor authentication(LDAP + Raduis-mfa)
> But ldap authentication is ok, redirecting to logging succuss page,
> without show radius token password page?
> Can u help checkout my configure? Thx
>
> application.properties:
>
> cas.authn.mfa.radius.server.
>
> nasPortId
>
> =
>
> -1
>
>
> cas.authn.mfa.radius.server.
>
> nasRealPort
>
> =
>
> -1
>
>
> cas.authn.mfa.radius.server.
>
> protocol
>
> =
>
> EAP_MSCHAPv2
>
>
> cas.authn.mfa.radius.server.
>
> retries
>
> =
>
> 3
>
>
> cas.authn.mfa.radius.server.
>
> nasPortType
>
> =
>
> -1
>
>
> cas.authn.mfa.radius.server.
>
> nasPort
>
> =
>
> -1
>
>
> cas.authn.mfa.radius.server.
>
> nasIpAddress
>
> =
>
>
> cas.authn.mfa.radius.server.
>
> nasIpv6Address
>
> =
>
>
> cas.authn.mfa.radius.server.
>
> nasIdentifier
>
> =
>
> -1
>
>
>
> cas.authn.mfa.radius.client.
>
> authenticationPort
>
> =
>
> 1812
>
>
> cas.authn.mfa.radius.client.
>
> sharedSecret
>
> =
>
> xxxxxx
>
>
> cas.authn.mfa.radius.client.
>
> socketTimeout
>
> =
>
> 0
>
>
> cas.authn.mfa.radius.client.
>
> inetAddress
>
> =
>
> 172.x.x.x
>
>
> cas.authn.mfa.radius.client.
>
> accountingPort
>
> =
>
> 1813
>
>
>
> cas.authn.radius.
>
> failoverOnException
>
> =
>
> false
>
>
> cas.authn.radius.
>
> failoverOnAuthenticationFailur
>
> e
>
> =
>
> false
>
> pom.xml
>
> <dependency>
>
>
> <groupId>
>
> org.apereo.cas
>
> </
>
> groupId>
>
>
> <artifactId>
>
> cas-server-
>
> support-ldap
>
> </artifactId>
>
>
> <version>
>
> ${cas.version}
>
> </
>
> version>
>
>
> </dependency>
>
>
> <dependency>
>
>
> <groupId>
>
> org.apereo.cas
>
> </
>
> groupId>
>
>
> <artifactId>
>
> cas-server-
>
> support-radius-mfa
>
> </
>
> artifactId>
>
>
> <version>
>
> 5.3.0-RC4
>
> </version>
>
>
> </dependency>
>
>
>
> 在 2018年7月19日星期四 UTC+8下午2:52:01,Christian Blich写道:
>
> We are trying to upgrade our CAS from version 2.0 to 5.2 / 5.3 and have
> LDAP authentication up and running, and have Radius working as well, but
> CAS will first ask for username and password to login into the LDAP, then
> ask for the same password to call Radius, and then SMS code.The middle step
> we want to get rid of, So is it possible to make the login to the radius
> reuse username and password from LDAP?
>
> In the end we want one of the following combinations:
>
> 1. LDAP authentication for username and password, then Radius OTP SMS
> password when the risk is at the certain level.
> 2. Radius authentication and then enrich the user login with info from
> LDAP, but don't looks like the Radius is receiving other information on the
> user other than username and password.
>
>
> The reason is that we want to use SMS as a two factor validation in risk
> situations, when f.ex. some body given out they username and password in
> phissing attempts. But in general we want the LDAP to be the login
> validator. We already use a supplier with radius to handle our VPN login
> with multifactor, but for test purpose have made our own simpel radius
> server.
>
>
>
> --
>
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | [email protected]
>
> I respectfully acknowledge that my place of work is located within the
> ancestral, traditional and unceded territory of the Songhees, Esquimalt and
> WSÁNEĆ Nations.
>
> --
>
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | [email protected]
>
> I respectfully acknowledge that my place of work is located within the
> ancestral, traditional and unceded territory of the Songhees, Esquimalt and
> WSÁNEĆ Nations.
>
> --
>
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | [email protected]
>
> I respectfully acknowledge that my place of work is located within the
> ancestral, traditional and unceded territory of the Songhees, Esquimalt and
> WSÁNEĆ Nations.
>
> --
>
> Ray Bon
> Programmer Analyst
> Development Services, University Systems
> 2507218831 | CLE 019 | [email protected] <javascript:>
>
> I respectfully acknowledge that my place of work is located within the
> ancestral, traditional and unceded territory of the Songhees, Esquimalt and
> WSÁNEĆ Nations.
>
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/7c931296-265a-483d-ad40-7ee13c19b2f5%40apereo.org.
