Mike, thanks. but now i need your help... i've configured guacamole's radius extension to communicate with freeradius proxy as described here - https://wiki.freeradius.org/guide/2FA-Active-Directory-plus-Proxy so additional freeradius asks for login/password from my AD via LDAP and then it asks OTP from my RcDevs OTP server via radius. and it works! i can see success-auth logs everywhere and even catalina.out tells me: [http-nio-8080-exec-4] INFO o.a.g.r.auth.AuthenticationService - User "my-ad-login-name-here" successfully authenticated from my-ip-address but my browser says: An error has occurred and this action cannot be completed. If the problem persists, please notify your system administrator or check your system logs. so what system logs should i check?
ps i do not have sql server configured so i do not have any connections. but it was not problem when i was playing with ldap-auth-extension пн, 12 нояб. 2018 г. в 19:23, Mike Jumper <[email protected]>: > On Mon, Nov 12, 2018, 08:02 SergeyKh <[email protected] wrote: > >> oh i see. thank you very much. >> do you any have plans to make some kind of flexible authorization that >> could use one or two authorization sources like radius? >> ldap+radius or radius+radius or local-sql+radius >> ? >> > > Guacamole does already do this. Once the user has been authenticated, each > extension is polled to authorize that user for the resources provided by > that extension, if any. There can be only one source of identity, but all > other extensions have the option to further verify, ignore, or veto that > identification. > > Based on your past emails to this list, I don't think what you're looking > for is multiple sources of authorization (which Guacamole does provide) or > multiple sources of authentication (which Guacamole also provides), but > rather allowing RADIUS to function as an additional authentication factor > rather than the first factor. > > There are no current plans to modify the RADIUS support to allow it to > function as an additional factor on top of other authentication mechanisms. > If this truly is a standard arrangement - RADIUS serving as a > second/third/etc. factor on top of whatever source has provided the base > authentication, then I'm sure there will be such plans, though we'd need to > see some documentation of that standard use. I'm not personally familiar > enough with RADIUS to judge either way at the moment. > > - Mike > >
