[
https://issues.apache.org/jira/browse/GUACAMOLE-197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15854575#comment-15854575
]
Nick Couchman commented on GUACAMOLE-197:
-----------------------------------------
Okay, making progress here, but have another question. When the RADIUS server
sends back the AccessChallenge packet, it also sents a "State" parameter that
needs to be saved and used to process the remainder of the authentication. So,
something like this:
- Send Username, Password
- Receive Challenge, State
- Send Username, State, Response
- Receive Accept/Reject
For the connection state, is the best way to do this to pass the state into the
AngularJS form where the user enters the challenge response, and then somehow
pass it back, or is there some way to internally add the state to the Java
servlet side such that I can pick it back up and use it, again? I'd rather not
pass it through the browser front-end if I don't have to - seems more secure if
I can keep it all on the servlet side - but I'm not sure the best place to
create that storage item. I tried to just add it to the
AuthenticationProviderService class that I'm implementing in the module, but it
looks like the class gets re-instantiated during the second go-around, so there
isn't anything persistent there. I'm not sure if there's another session class
I should use or something like that?
> Implement Support for RADIUS Authentication
> -------------------------------------------
>
> Key: GUACAMOLE-197
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-197
> Project: Guacamole
> Issue Type: Improvement
> Components: guacamole, guacamole-client
> Affects Versions: 0.9.11-incubating
> Reporter: Nick Couchman
> Priority: Minor
>
> Working on implementing a RADIUS authentication module -
> guacamole-auth-radius. The basic implementation is completed - with a basic
> PAP or CHAP RADIUS server, the authentication succeeds and the user is logged
> in.
> I'm running into an issue, though, trying to implement Challenge/Response in
> RADIUS. I have my RADIUS server configured to talk to LinOTP for MFA/2FA,
> and RADIUS sends the AccessChallenge package back, asking for the second
> factor. My issue is in my continual failure to grasp the connection between
> the servlet side and the AngularJS web application. I've copied the Duo
> authentication code and tried to morph it into something that will present
> another box for the RADIUS challenge, but I can't get my controller function
> to actually fire.
> Once that is working, I'd like to support other RADIUS authentication
> protocols, like EAP-TLS and EAP-TTLS, so there's a little more work to be
> done, but right now I'm focusing on the basic protocols and the
> challenge/response.
> Will have a repo posted here in a moment for working on this.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
