On Fri, Aug 23, 2019 at 6:24 AM "michael böhm" <[email protected]> wrote:
> Hi everyone, > > I was able to test the radius-authentication successfully. > > Two more questions: > > - How does Guacamole recognize whether or not a user is a radius-user? > What hash is in the password-field of the mysql-db for radius-users? > Guacamole attempts authentication with each module (in the order loaded, which is generally alphabetical order), until it succeeds or reaches the last module and fails. Guacamole then keeps track, internally, which module authenticated the user. Guacamole also supports "stacking" of authentication - that is, you can create the user in the JDBC module and assign permissions to that user, then authenticate with the RADIUS module, and it will allow the users to see the permissions from JDBC. As far as the password field hash in the database - if you don't specify a password for a user, a random one will be generated, so that is the value stored there. This is for security, so that users essentially do not have empty passwords. > - Does Guacamole support acces-challenges, like when the user has to > change his password via Radius? > > Login ---access-request---> access-challenge "Please change your password" > ---challenge-response---> Permit. > > Yes, this was one of my big reasons for implementing the RADIUS module, to support 2FA authentication that uses RADIUS challenge-response. I have specifically tested with LinOTP, but I think a couple of other people have used Azure MFA with some success. There are some recent changes (not yet released) that will improve this experience, as well, such as disabling fields while waiting for the server (useful with Azure MFA when it sends the notification to your mobile phone, for example). -Nick
