Nick hey thanks for the info.  In the past I have done LDAP/Radius for 2FA so I 
was going off of history.  If we can make it work that’s awesome.  The reason I 
am citing multiOTP is I have it setup in my environment already for some simple 
2FA.  I would prefer my users to not have to have another token to auth 
Guacamole.  By using multiOTP they have one token to auth into the whole 
environment.  I will dig up some more information on multiOTP and see if I can 
find any documentation on the radius module.  I am running bleeding edge.  I 
installed it last night and it seems to be working ok.


From: Nick Couchman []
Sent: Friday, April 6, 2018 9:40 AM
Subject: Re: Extension Questions

On Fri, Apr 6, 2018 at 8:59 AM, Fertig, Brian 
<<>> wrote:

  Im looking to setup Guacamole for 2FA.  I have setup multiOTP and would like 
to see if its possible to have Guacamole use LDAP for user component and then 
multiOTP (radius) for the 2nd factor piece.  Is this possible?  Can someone 
direct me to documentation on how to setup the environment this way?   I have 
the documentation for LDAP just looking for radius/TOTP documentation.

The RADIUS extension has not been officially released, yet, so the 
documentation is not on the web site.  You can check out the latest 
guacamole-client git repo and build it with the "-Plgpl-extensions" flag to 
build the RADIUS module.  If you do that you'll also need to check out the 
latest guacamole-server code and build and use that.  We're actively working 
toward a 1.0.0 release, which will include this (and many, many more) changes.  
If you need the documentation for the RADIUS module you'll need to check out 
the guacamole-manual git repo and build that manual, and you can find the 
documentation for RADIUS.

However, I will caution that, based on what you've said, I don't think LDAP + 
RADIUS is actually what you want to do.  The way I tested 2FA with RADIUS in 
Guacamole was using LinOTP + FreeRADIUS, and the authentication was done 
entirely through RADIUS.  If you're looking to add a second factor to LDAP 
authentication for Guacamole, and you want to do it through something like 
multiOTP, you probably want to set up multiOTP to authenticate first with LDAP 
and then move on to the second factor - if you rely on Guacamole to do both 
LDAP and RADIUS, LDAP is going to succeed and log the user in and won't know to 
move on to RADIUS.

Alternatively you can use the recently-merged guacamole-auth-totp module to do 
this inside Guacamole, and you should be able to layer the modules such that 
LDAP can do the primary authentication and then the TOTP module will prompt for 
the second factor.  I think Mike is still working documentation for this 
module, so you'll have to go back through the mailing list and find 
documentation on how to use it, but it should eliminate the need to do RADIUS 
authentication for Guacamole unless you're using RADIUS for other stuff in your 


The information contained in this message may be confidential and legally 
protected under applicable law. The message is intended solely for the 
addressee(s). If you are not the intended recipient, you are hereby notified 
that any use, forwarding, dissemination, or reproduction of this message is 
strictly prohibited and may be unlawful. If you are not the intended recipient, 
please contact the sender by return e-mail and destroy all copies of the 
original message.

Reply via email to