> > In the JDBC -> RADIUS case where it's not working as expected, what > exceptions are thrown during the authentication process? It might help > to step through the auth process with a debugger to see what throws > what and when. > > I've pasted the contents of the log file from the authentication failure, in DEBUG mode:
https://pastebin.com/KjrVKh4U The interesting line is: 18:21:18.272 [http-nio-8080-exec-22] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from [172.25.240.41, 0:0:0:0:0:0:0:1] for user "[email protected]" failed. Doing some more digging, it's something about the challenge/response that is failing, here. I'm using LinOTP with RADIUS to do 2FA for this testing, and, when you use that, you have two options for how to authenticate with the PIN + OTP: 1) Enter PIN and submit, get prompted for OTP 2) Enter PIN and OTP at the same time, and both factors will be checked concurrently. If I do option 2, it works correctly - passes through JDBC and on to RADIUS, and authentication succeeds. If I do option 1, where I'm supposed to be prompted by Guacamole for the second factor, this seems to be where it fails. So, my guess at this point is it has something to do with the logic in the RADIUS module that handles the checks between initial authentication and the challenge/response, and that one of those steps isn't working correctly when another module precedes it. -Nick
