It looks like multiple addresses are only for failover, which you have as
false,
https://apereo.github.io/cas/6.0.x/configuration/Configuration-Properties-Common.html#radius-configuration
Ray
On Sat, 2019-07-20 at 08:09 -0700, 李朝林 wrote:
cas.authn.mfa.radius.client.inetAddress=127.0.0.1 Test is OK
cas.authn.mfa.radius.client.inetAddress=127.0.0.2 Test is OK
cas.authn.mfa.radius.client.inetAddress=127.0.0.1,127.0.0.2 I encountered host
or service name not found exception
at the same time i read cas source code, i can't found where to parse
'cas.authn.mfa.radius.client.inetAddress' to create multi radius servive to
ensure failoverException, just regard '127.0.0.1,127.0.0.2' as one raduis
service address (5.3.4-RC)
@RefreshScope
@Bean
public
List<RadiusServer> radiusTokenServers() {
final
List<RadiusServer> list =
new
ArrayList<>()
;
final
RadiusClientProperties client =
casProperties.getAuthn().getMfa().getRadius().getClient()
;
final
RadiusServerProperties server =
casProperties.getAuthn().getMfa().getRadius().getServer()
;
final
RadiusClientFactory factory =
new
RadiusClientFactory(client.getAccountingPort()
,
client.getAuthenticationPort()
,
client.getSocketTimeout()
,
client.getInetAddress()
,
client.getSharedSecret())
;
final
RadiusProtocol protocol = RadiusProtocol.valueOf(server.getProtocol())
;
final
JRadiusServerImpl impl =
new
JRadiusServerImpl(protocol
,
factory
,
server.getRetries()
,
server.getNasIpAddress()
,
server.getNasIpv6Address()
,
server.getNasPort()
,
server.getNasPortId()
,
server.getNasIdentifier()
,
server.getNasRealPort())
;
list.add(impl)
;
return
list
;
}
在 2019年7月19日星期五 UTC+8上午12:04:55,rbon写道:
It looks like CAS is unable to connect/find those hosts.
Could it be that only one address is allowed for the radius client?
Remove one of the hosts and try again.
If there is still a problem, then it is most likely a network/firewall issue.
Ray
On Wed, 2019-07-17 at 19:01 -0700, 李朝林 wrote:
Hi debug log as follow, thx!
[20190718095523.jpg]
在 2019年7月18日星期四 UTC+8上午12:00:22,rbon写道:
Post some debug logs. Sometimes the problem is identified in another location.
Ray
On Wed, 2019-07-17 at 07:40 -0700, 李朝林 wrote:
Ray Thx very much, i encountered another problem, my system contain more
addresses, configuration is as follow:
cas.authn.mfa.radius.client.inetAddress=127.0.0.1,127.0.0.2
the raduis server parse inetAddress error, hostname not found exception
在 2019年6月21日星期五 UTC+8下午11:22:37,rbon写道:
See,
https://apereo.github.io/cas/6.0.x/mfa/Configuring-Multifactor-Authentication.html#failure-mode-by-registered-service
for an example.
If you use the service management application, there is a tab for MFA.
Ray
On Thu, 2019-06-20 at 18:06 -0700, 李朝林 wrote:
Hi robin
How to set MFA for my service(s)? set cas configuration or radius device?
Thx!
在 2019年6月20日星期四 UTC+8下午11:21:16,rbon写道:
You also have to set MFA for your service(s).
Ray
On Wed, 2019-06-19 at 18:21 -0700, 李朝林 wrote:
hi Christian:
We have been using ldap + CAS for a long time,Recently wanted to add
two-factor authentication(LDAP + Raduis-mfa)
But ldap authentication is ok, redirecting to logging succuss page, without
show radius token password page?
Can u help checkout my configure? Thx
application.properties:
cas.authn.mfa.radius.server.
nasPortId
=
-1
cas.authn.mfa.radius.server.
nasRealPort
=
-1
cas.authn.mfa.radius.server.
protocol
=
EAP_MSCHAPv2
cas.authn.mfa.radius.server.
retries
=
3
cas.authn.mfa.radius.server.
nasPortType
=
-1
cas.authn.mfa.radius.server.
nasPort
=
-1
cas.authn.mfa.radius.server.
nasIpAddress
=
cas.authn.mfa.radius.server.
nasIpv6Address
=
cas.authn.mfa.radius.server.
nasIdentifier
=
-1
cas.authn.mfa.radius.client.
authenticationPort
=
1812
cas.authn.mfa.radius.client.
sharedSecret
=
xxxxxx
cas.authn.mfa.radius.client.
socketTimeout
=
0
cas.authn.mfa.radius.client.
inetAddress
=
172.x.x.x
cas.authn.mfa.radius.client.
accountingPort
=
1813
cas.authn.radius.
failoverOnException
=
false
cas.authn.radius.
failoverOnAuthenticationFailur
e
=
false
pom.xml
<dependency>
<groupId>
org.apereo.cas
</
groupId>
<artifactId>
cas-server-
support-ldap
</artifactId>
<version>
${cas.version}
</
version>
</dependency>
<dependency>
<groupId>
org.apereo.cas
</
groupId>
<artifactId>
cas-server-
support-radius-mfa
</
artifactId>
<version>
5.3.0-RC4
</version>
</dependency>
在 2018年7月19日星期四 UTC+8下午2:52:01,Christian Blich写道:
We are trying to upgrade our CAS from version 2.0 to 5.2 / 5.3 and have LDAP
authentication up and running, and have Radius working as well, but CAS will
first ask for username and password to login into the LDAP, then ask for the
same password to call Radius, and then SMS code.The middle step we want to get
rid of, So is it possible to make the login to the radius reuse username and
password from LDAP?
In the end we want one of the following combinations:
1. LDAP authentication for username and password, then Radius OTP SMS password
when the risk is at the certain level.
2. Radius authentication and then enrich the user login with info from LDAP,
but don't looks like the Radius is receiving other information on the user
other than username and password.
The reason is that we want to use SMS as a two factor validation in risk
situations, when f.ex. some body given out they username and password in
phissing attempts. But in general we want the LDAP to be the login validator.
We already use a supplier with radius to handle our VPN login with multifactor,
but for test purpose have made our own simpel radius server.
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | [email protected]
I respectfully acknowledge that my place of work is located within the
ancestral, traditional and unceded territory of the Songhees, Esquimalt and
WSÁNEĆ Nations.
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | [email protected]
I respectfully acknowledge that my place of work is located within the
ancestral, traditional and unceded territory of the Songhees, Esquimalt and
WSÁNEĆ Nations.
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | [email protected]
I respectfully acknowledge that my place of work is located within the
ancestral, traditional and unceded territory of the Songhees, Esquimalt and
WSÁNEĆ Nations.
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | [email protected]<javascript:>
I respectfully acknowledge that my place of work is located within the
ancestral, traditional and unceded territory of the Songhees, Esquimalt and
WSÁNEĆ Nations.
--
Ray Bon
Programmer Analyst
Development Services, University Systems
2507218831 | CLE 019 | [email protected]<mailto:[email protected]>
I respectfully acknowledge that my place of work is located within the
ancestral, traditional and unceded territory of the Songhees, Esquimalt and
WSÁNEĆ Nations.
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/1704c14ad26d241b9c32bb516a46583b71a9aa70.camel%40uvic.ca.
