[
https://issues.apache.org/jira/browse/GUACAMOLE-1333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17331509#comment-17331509
]
Nick Couchman commented on GUACAMOLE-1333:
------------------------------------------
{quote}
And what about duplicating the radius plugin as a radius2fa and force
GuacamoleInsufficientCredentialsException so that it acts like duo or totp.
{quote}
This is probably doable, but not necessarily trivial - it would require an
extensive amount of work in one of two directions:
1. Rewrite the RADIUS module such that it was a "decorating" module (this is
how TOTP and Duo work) that add functionality to existing users rather than
providing their own users.
2. Rewrite the RADIUS module to include an Event Listener that would "veto" a
successful authentication and then trigger the RADIUS login (see
http://guacamole.apache.org/doc/gug/event-listeners.html#custom-listener-veto).
In both of the above cases you should be able to use the original credentials
passed through for the user to send on to RADIUS to get the 2FA login.
However, as Mike mentioned, the real root cause of your issue is that RADIUS
does not currently provide any group membership information that could be used
to determine what connections users have access to, and, in reality, resolving
that issue would make the entire question of how to force authentication
through multiple modules at the same time quite a bit less important.
> Force second auth
> -----------------
>
> Key: GUACAMOLE-1333
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1333
> Project: Guacamole
> Issue Type: Improvement
> Components: guacamole-auth-jdbc-mysql, guacamole-auth-ldap,
> guacamole-auth-radius
> Affects Versions: 1.3.0
> Reporter: Nicolas Baudrand
> Priority: Minor
>
> Hi !
> We're using Guacamole Auth ldap and then map returned groups with existing
> mysql groups to assign profiles.
> Now, we want to ask for TOTP to our central server that is reachable by
> radius.
> So, I have enabled auth-jdbc, auth-ldap and auth-radius
> With username+pass (ldap), I access to my AD group profile.
> With username+otp or username+pass+otp (radius), I have an empty profile
> because no groups are returned by radius.
> Is it possible to force a second auth after LDAP (returning
> GuacamoleInsufficientCredentialsException) so that we can ask for OTP after
> LDAP.
> Guacamole TOTP is great but not centralized and I don't want to ask my users
> to register a new Token for each application.
>
> Thanks a lot for this great product
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
