Hi Nick,
thank you for pointing me to the logback.xml settings. The debug level of
logging has revealed the following error:
20:03:57.517 [http-nio-8080-exec-6] ERROR o.a.g.a.r.RadiusConnectionService -
Unable to complete authentication.
20:03:57.528 [http-nio-8080-exec-6] DEBUG o.a.g.a.r.RadiusConnectionService -
Authentication with RADIUS failed.
net.jradius.exception.RadiusException: You can not currently use chap within a
TLS Tunnel because of limitations in Java 1.5.
at
net.jradius.client.auth.EAPTTLSAuthenticator.init(EAPTTLSAuthenticator.java:79)
at
net.jradius.client.auth.EAPTLSAuthenticator.setupRequest(EAPTLSAuthenticator.java:134)
at
net.jradius.client.auth.EAPTTLSAuthenticator.setupRequest(EAPTTLSAuthenticator.java:110)
at
org.apache.guacamole.auth.radius.RadiusConnectionService.authenticate(RadiusConnectionService.java:229)
I get the same error if I use mschapv2 as the radius-eap-ttls-inner-protocol.
In any case there is no packet leaving my guacamole server. As I stated in my
first email the error occurs when calling setupRequest method before the
request is being send out my RADIUS server.
I'm not a Java developer, no clue what "Java 1.5." refers to. I use OpenJDK
Runtime Environment (Red_Hat-11.0.16.0.8-1.el8_6) (build 11.0.16+8-LTS) on my guacamole
server.
May I ask you for help?
Regards,
Pavel
On Thu, Aug 25, 2022 at 07:53:28AM -0400, Nick Couchman wrote:
On Thu, Aug 25, 2022 at 2:42 AM Pavel Kůžel <[email protected]> wrote:
Hello,
has anybody successfully configured the RADIUS authentication using EAP-TTLS on
guacamole server? Although I configured EAP-TTLS, when a client's
authentication should be optional, the RADIUS extension demands radius key
file. Anyway, I created the key file including a cert and a key in PEM format,
the RADIUS extension was successfuly initiated afterwards, but I ended up on
ERROR message:
"ERROR o.a.g.a.r.RadiusConnectionService - Unable to complete
authentication."
after calling radAuth.setupRequest(radiusClient, radAcc) in authenticate method.
My radius auth. guacamole config follows:
radius-hostname: <my_radius_server>
radius-auth-port: 1812
radius-shared-secret: <my_share_secret>
radius-auth-protocol: eap-ttls
radius-eap-ttls-inner-protocol: chap
radius-trust-all: true
radius-retries: 3
radius-timeout: 30
Maybe somebody with a working configuration might be so kind and point me to
the right direction.
It was definitely something I tested and verified working back when I
wrote the module, but I've never used EAP-TTLS in any sort of a
long-term production environment, so I don't have a working
configuration to share. I'd suggest the following:
* Examine logs on the RADIUS server to see if it provides any hints as
to why authentication is failing.
* Turn up logging for the web application and see if you get any
additional debug messages from the RADIUS module. Instructions for
this are documented in the manual:
https://guacamole.apache.org/doc/gug/configuring-guacamole.html#logging-within-the-web-application
-Nick
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
