Re: RADIUS Module Issue
> > In the JDBC -> RADIUS case where it's not working as expected, what > exceptions are thrown during the authentication process? It might help > to step through the auth process with a debugger to see what throws > what and when. > > I've pasted the contents of the log file from the authentication failure, in DEBUG mode: https://pastebin.com/KjrVKh4U The interesting line is: 18:21:18.272 [http-nio-8080-exec-22] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from [172.25.240.41, 0:0:0:0:0:0:0:1] for user "andy.tay...@mayberry.gov" failed. Doing some more digging, it's something about the challenge/response that is failing, here. I'm using LinOTP with RADIUS to do 2FA for this testing, and, when you use that, you have two options for how to authenticate with the PIN + OTP: 1) Enter PIN and submit, get prompted for OTP 2) Enter PIN and OTP at the same time, and both factors will be checked concurrently. If I do option 2, it works correctly - passes through JDBC and on to RADIUS, and authentication succeeds. If I do option 1, where I'm supposed to be prompted by Guacamole for the second factor, this seems to be where it fails. So, my guess at this point is it has something to do with the logic in the RADIUS module that handles the checks between initial authentication and the challenge/response, and that one of those steps isn't working correctly when another module precedes it. -Nick
Re: RADIUS Module Issue
On Wed, Nov 21, 2018 at 2:25 PM Nick Couchman wrote: > ... > That authentication of that user moves through each of the modules. So, if > the JDBC module fails, either because the user is not present in JDBC or is > present but password does not match, authentication moves on to the RADIUS > module and is checked against that module. I believe this works correctly > between, for example, LDAP -> JDBC (although I've never tried putting LDAP > authentication *after* JDBC), so I'm not sure why it isn't working for JDBC > -> RADIUS. > In the JDBC -> RADIUS case where it's not working as expected, what exceptions are thrown during the authentication process? It might help to step through the auth process with a debugger to see what throws what and when. - Mike
Re: RADIUS Module Issue
On Wed, Nov 21, 2018 at 3:52 AM Mike Jumper wrote: > On Tue, Nov 20, 2018 at 10:46 AM Nick Couchman > wrote: > > > Hey, everyone, > > Ran back into an issue with the RADIUS module that I thought was > resolved a > > while back, but seems to have re-appeared. In my current testing, I'm > > using both RADIUS and JDBC PostgreSQL for authentication. Guacamole > loads > > and evaluates authentication against each of the extensions in > alphabetical > > order. If I have the RADIUS module installed such that it loads and > > evaluates *after* the JDBC module, authentication fails for the RADIUS > > users. If I have the RADIUS module installed such that it loads and > > evaluates *before* the JDBC module (put a 0 in front of radius - e.g. > > guacamole-auth-0radius-1.0.0.jar), it works correctly. > > > > > What is the expected behavior for the case that RADIUS is queried last? > > That authentication of that user moves through each of the modules. So, if the JDBC module fails, either because the user is not present in JDBC or is present but password does not match, authentication moves on to the RADIUS module and is checked against that module. I believe this works correctly between, for example, LDAP -> JDBC (although I've never tried putting LDAP authentication *after* JDBC), so I'm not sure why it isn't working for JDBC -> RADIUS. -Nick
Re: RADIUS Module Issue
On Tue, Nov 20, 2018 at 10:46 AM Nick Couchman wrote: > Hey, everyone, > Ran back into an issue with the RADIUS module that I thought was resolved a > while back, but seems to have re-appeared. In my current testing, I'm > using both RADIUS and JDBC PostgreSQL for authentication. Guacamole loads > and evaluates authentication against each of the extensions in alphabetical > order. If I have the RADIUS module installed such that it loads and > evaluates *after* the JDBC module, authentication fails for the RADIUS > users. If I have the RADIUS module installed such that it loads and > evaluates *before* the JDBC module (put a 0 in front of radius - e.g. > guacamole-auth-0radius-1.0.0.jar), it works correctly. > > What is the expected behavior for the case that RADIUS is queried last? - Mike
RADIUS Module Issue
Hey, everyone, Ran back into an issue with the RADIUS module that I thought was resolved a while back, but seems to have re-appeared. In my current testing, I'm using both RADIUS and JDBC PostgreSQL for authentication. Guacamole loads and evaluates authentication against each of the extensions in alphabetical order. If I have the RADIUS module installed such that it loads and evaluates *after* the JDBC module, authentication fails for the RADIUS users. If I have the RADIUS module installed such that it loads and evaluates *before* the JDBC module (put a 0 in front of radius - e.g. guacamole-auth-0radius-1.0.0.jar), it works correctly. Any ideas what's causing this, or where I need to look to determine what's going on? I can provide some logs for both scenarios if that helps. -Nick
