Can you tell where the password becomes mangled? I.e. is it in the CAS code itself or is it down in the RADIUS library?
On Mon, Mar 28, 2011 at 1:21 PM, Harry Hoffman <[email protected]>wrote: > Hi All, > > I'm brand new to CAS but have managed to get all of the components together > for a working CAS-3.4.6 with RADIUS as the authentication backend. > > I'm running the CAS server on RHAS 5.5 with tomcat 7.0.8 and > freeradius-2.1.8 as the radius server. > > I start CAS and don't get any errors and the 1st authentication to via CAS > to the radius box works no problem. However any subsequent auths all fail > as > the CAS server mangles the password in some way as it passes it off to the > radius box. > > Is anyone successfully running CAS with RADIUS backends? > > I've included debug info from both the CAS server and the RADIUS server. If > anyone's got some helpful tips I'd really appreciate it. I'm not a java guy > at all so it took quite some time to get this far. > > Cheers, > Harry > > > Here's some info: > > [From /app/tomcat/logs/catalina.out] > Mar 28, 2011 1:05:44 PM org.apache.catalina.startup.Catalina start > INFO: Server startup in 7837 ms > 2011-03-28 13:06:01,287 INFO > [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - > <Beginning ticket cleanup.> > 2011-03-28 13:06:01,288 INFO > [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - <0 > tickets found to be removed.> > 2011-03-28 13:06:01,289 INFO > [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - > <Finished ticket cleanup.> > 2011-03-28 13:07:12,086 INFO > [org.jasig.cas.web.flow.InitialFlowSetupAction] > - <Setting path for cookies to: /cas> > 2011-03-28 13:07:20,150 INFO > [org.jasig.cas.authentication.AuthenticationManagerImpl] - > <AuthenticationHandler: > > org.jasig.cas.adaptors.radius.authentication.handler.support.RadiusAuthentic > ationHandler successfully authenticated the user which provided the > following credentials: [username: hhoffman]> > 2011-03-28 13:07:20,154 INFO > [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit > trail record BEGIN > ============================================================= > WHO: [username: hhoffman] > WHAT: supplied credentials: [username: hhoffman] > ACTION: AUTHENTICATION_SUCCESS > APPLICATION: CAS > WHEN: Mon Mar 28 13:07:20 EDT 2011 > CLIENT IP ADDRESS: 192.168.17.140 > SERVER IP ADDRESS: 172.16.38.128 > ============================================================= > > > > 2011-03-28 13:07:20,157 INFO > [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit > trail record BEGIN > ============================================================= > WHO: [username: hhoffman] > WHAT: TGT-1-JRH4VL55badAVyq7IDeCAcbIF20b7DZcwsnEvRAk5zLbrnUmqh-cas > ACTION: TICKET_GRANTING_TICKET_CREATED > APPLICATION: CAS > WHEN: Mon Mar 28 13:07:20 EDT 2011 > CLIENT IP ADDRESS: 192.168.17.140 > SERVER IP ADDRESS: 172.16.38.128 > ============================================================= > > > > 2011-03-28 13:07:31,321 INFO > [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit > trail record BEGIN > ============================================================= > WHO: audit:unknown > WHAT: TGT-1-JRH4VL55badAVyq7IDeCAcbIF20b7DZcwsnEvRAk5zLbrnUmqh-cas > ACTION: TICKET_GRANTING_TICKET_DESTROYED > APPLICATION: CAS > WHEN: Mon Mar 28 13:07:31 EDT 2011 > CLIENT IP ADDRESS: 192.168.17.140 > SERVER IP ADDRESS: 172.16.38.128 > ============================================================= > > > > 2011-03-28 13:07:41,536 INFO > [org.jasig.cas.services.DefaultServicesManagerImpl] - <Reloading registered > services.> > 2011-03-28 13:07:41,536 INFO > [org.jasig.cas.services.DefaultServicesManagerImpl] - <Loaded 4 services.> > 2011-03-28 13:07:44,322 INFO > [org.jasig.cas.authentication.AuthenticationManagerImpl] - > <AuthenticationHandler: > > org.jasig.cas.adaptors.radius.authentication.handler.support.RadiusAuthentic > ationHandler failed to authenticate the user which provided the following > credentials: [username: hhoffman]> > 2011-03-28 13:07:44,322 INFO > [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit > trail record BEGIN > ============================================================= > WHO: [username: hhoffman] > WHAT: supplied credentials: [username: hhoffman] > ACTION: AUTHENTICATION_FAILED > APPLICATION: CAS > WHEN: Mon Mar 28 13:07:44 EDT 2011 > CLIENT IP ADDRESS: 192.168.17.140 > SERVER IP ADDRESS: 172.16.38.128 > ============================================================= > > > > 2011-03-28 13:07:44,323 INFO > [com.github.inspektr.audit.support.Slf4jLoggingAuditTrailManager] - <Audit > trail record BEGIN > ============================================================= > WHO: [username: hhoffman] > WHAT: error.authentication.credentials.bad > ACTION: TICKET_GRANTING_TICKET_NOT_CREATED > APPLICATION: CAS > WHEN: Mon Mar 28 13:07:44 EDT 2011 > CLIENT IP ADDRESS: 192.168.17.140 > SERVER IP ADDRESS: 172.16.38.128 > ============================================================= > > > [From the radius server debug - FIRST ATTEMPT PASSWORD LOOKS JUST FINE] > Ready to process requests. > rad_recv: Access-Request packet from host 172.16.38.128 port 40102, id=2, > length=62 > User-Name = "hhoffman" > User-Password = "TestPassword" > Message-Authenticator = 0xa71add575f352954035ef77234d6d6b1 > +- entering group authorize {...} > ++[preprocess] returns ok > ... > rlm_ldap: waiting for bind result ... > rlm_ldap: Bind was successful > [ldap] user hhoffman authenticated succesfully > +++[ldap] returns ok > ++- group returns ok > expand: Auth-Type: %{control:Auth-Type} -> Auth-Type: ldap_ntlm > Login OK: [hhoffman] (from client castest port 0) Auth-Type: ldap_ntlm > > (THIS IS THE SECOND ATTEMPT AND LOOK AT HOW THE PASSWORD IS NOW MANGLED) > Ready to process requests. > rad_recv: Access-Request packet from host 172.16.38.128 port 43670, id=3, > length=55 > User-Name = "hhoffman" > User-Password = "\ry\251\200!>(\2047" > Message-Authenticator = 0xa87b5f47907bbadb0bd83cf8aed703d6 > +- entering group authorize {...} > > Needless to say it fails here and I have to restart the webapp before > another authentication will work. > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
