Hello,
I am struggling with configuration RADIUS without MFA as auth handler. I
do don't if it is possible but im working on it without possitive result
yet but im close to give up
cas ver:6.4.62
cas.propierties:
#RADIUS
cas.authn.radius.server.nas-port-id=-1
cas.authn.radius.server.nas-real-port=-1
cas.authn.radius.server.protocol=EAP_MSCHAPv2
cas.authn.radius.server.retries=3
cas.authn.radius.server.nas-port-type=-1
cas.authn.radius.server.nas-port=-1
cas.authn.radius.server.nas-ip-address=
cas.authn.radius.server.nas-ipv6-address=
cas.authn.radius.server.nas-identifier=-1
cas.authn.radius.client.authentication-port=1812
cas.authn.radius.client.shared-secret=xxxxxxxxx
cas.authn.radius.client.socket-timeout=0
cas.authn.radius.client.inet-address=IP Radius server
cas.authn.radius.client.accounting-port=1813
cas.authn.radius.name=Radius
cas.authn.radius.failover-on-exception=false
cas.authn.radius.failover-on-authentication-failure=false
log:
2022-04-06 14:43:28,134 DEBUG
[org.apereo.cas.adaptors.radius.server.AbstractRadiusServer] - <RADIUS
access request prepared as [Class: class net.jradius.packet.AccessRequest
Attributes:
User-Name := kowalski@xx
User-Password := [Encrypted String]
Client-IP-Address := IPhost_from_i_tested_it
NAS-Identifier := -1
]>
2022-04-06 14:43:28,199 DEBUG
[org.apereo.cas.adaptors.radius.server.AbstractRadiusServer] - <RADIUS
response from [radius.xx]: [net.jradius.packet.AccessChallenge] as [Class:
class net.jradius.packet.AccessChallenge
Attributes:
EAP-Message = [Binary Data (length=6)]
Message-Authenticator = [Binary Data (length=16)]
State = [Binary Data (length=16)]
]>
2022-04-06 14:43:28,199 DEBUG
[org.apereo.cas.adaptors.radius.server.AbstractRadiusServer] - <Radius
response code [11] accepted with attributes [[EAP-Message = [Binary Data
(length=6)], Message-Authenticator = [Binary Data (length=16)], State =
[Binary Data (length=16)]]] and identifier [2]>
2022-04-06 14:43:28,201 DEBUG
[org.apereo.cas.authentication.DefaultAuthenticationManager] -
<Authentication handler [Radius] successfully authenticated
[UsernamePasswordCredential(username=kowalski@xx, source=null,
customFields={})]>
Problem:kowalski has got abbility to log in to cas with wrong password.
I have tested radius connection from cas serwer with tool eapol_test with
settings:
I recived code 2 from Radius,so is ok.
TEST possitive with code 11
./eapol_test -c file.conf -a IP_radius_serwer -s xxxxxxxx
network={
ssid="example"
key_mgmt=WPA-EAP
eap=PEAP
identity="kowalski@xx"
anonymous_identity="@xx"
password="xxxx"
phase2="auth=MSCHAPV2"
}
Radius codes:
Assigned RADIUS Codes (decimal) include the following:[8]
<https://en.wikipedia.org/wiki/RADIUS#cite_note-8>
Code
Assignment
1
Access-Request
2
Access-Accept
3
Access-Reject
4
Accounting-Request
5
Accounting-Response
11
Access-Challenge
Q2: Is is possibe use Radius Handler to auth user via Radius without MFA ?
--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/6ce38f58-cc3b-48e0-8d32-62ceb4c4c2c9n%40apereo.org.
