[
https://issues.apache.org/jira/browse/GUACAMOLE-197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15855255#comment-15855255
]
Nick Couchman commented on GUACAMOLE-197:
-----------------------------------------
Here's the documentation on the attribute itself from the IETF standard:
https://tools.ietf.org/html/rfc2865#section-5.24
>From what I can tell reading that and some other Internet sources, the risk of
>exposing the state field to the authenticating user should be minimal. My
>rationale is as follows:
- The state field appears to be just a session marker in the RADIUS
conversation, used specifically when the authenticating system needs to provide
additional information to the server, or when the RADIUS server needs to do
something at termination of a connection.
- There hasn't been a lot done to obfuscate or encrypt the field itself. The
RADIUS protocol as a whole has developed several security measures to protect
the overall transmission, but there hasn't been any focus on the state protocol
specifically.
- Obviously a third-party attacker being able to read the state field could use
it to try to impersonate the user or intercept the connection; however, there's
equally (more?) sensitive data in the payload than the state - like username
and password.
So, I don't think there's any harm in the person who's doing the authentication
seeing the state value.
> Implement Support for RADIUS Authentication
> -------------------------------------------
>
> Key: GUACAMOLE-197
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-197
> Project: Guacamole
> Issue Type: Improvement
> Components: guacamole, guacamole-client
> Affects Versions: 0.9.11-incubating
> Reporter: Nick Couchman
> Priority: Minor
>
> Working on implementing a RADIUS authentication module -
> guacamole-auth-radius. The basic implementation is completed - with a basic
> PAP or CHAP RADIUS server, the authentication succeeds and the user is logged
> in.
> I'm running into an issue, though, trying to implement Challenge/Response in
> RADIUS. I have my RADIUS server configured to talk to LinOTP for MFA/2FA,
> and RADIUS sends the AccessChallenge package back, asking for the second
> factor. My issue is in my continual failure to grasp the connection between
> the servlet side and the AngularJS web application. I've copied the Duo
> authentication code and tried to morph it into something that will present
> another box for the RADIUS challenge, but I can't get my controller function
> to actually fire.
> Once that is working, I'd like to support other RADIUS authentication
> protocols, like EAP-TLS and EAP-TTLS, so there's a little more work to be
> done, but right now I'm focusing on the basic protocols and the
> challenge/response.
> Will have a repo posted here in a moment for working on this.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
