On Thu, Aug 25, 2022 at 2:25 PM Pavel Kůžel <[email protected]> wrote: > > Hi Nick, > > thank you for pointing me to the logback.xml settings. The debug level of > logging has revealed the following error: > > 20:03:57.517 [http-nio-8080-exec-6] ERROR o.a.g.a.r.RadiusConnectionService - > Unable to complete authentication. > 20:03:57.528 [http-nio-8080-exec-6] DEBUG o.a.g.a.r.RadiusConnectionService - > Authentication with RADIUS failed. > net.jradius.exception.RadiusException: You can not currently use chap within > a TLS Tunnel because of limitations in Java 1.5. > at > net.jradius.client.auth.EAPTTLSAuthenticator.init(EAPTTLSAuthenticator.java:79) > at > net.jradius.client.auth.EAPTLSAuthenticator.setupRequest(EAPTLSAuthenticator.java:134) > at > net.jradius.client.auth.EAPTTLSAuthenticator.setupRequest(EAPTTLSAuthenticator.java:110) > at > org.apache.guacamole.auth.radius.RadiusConnectionService.authenticate(RadiusConnectionService.java:229) > > I get the same error if I use mschapv2 as the radius-eap-ttls-inner-protocol. > In any case there is no packet leaving my guacamole server. As I stated in my > first email the error occurs when calling setupRequest method before the > request is being send out my RADIUS server. > I'm not a Java developer, no clue what "Java 1.5." refers to. I use OpenJDK > Runtime Environment (Red_Hat-11.0.16.0.8-1.el8_6) (build 11.0.16+8-LTS) on my > guacamole server. >
Ah, wow, this is actually a limitation of the RADIUS library we use (Jradius) - their code actually does not support tunneling any of the CHAP protocols inside of EAP-TTLS: https://github.com/coova/jradius/blob/4ee91e33fa155843fe428559d81f036051d30515/extended/src/main/java/net/jradius/client/auth/EAPTTLSAuthenticator.java#L69-L81 Unfortunately the JRadius project hasn't had any commits since 2017, so it looks pretty dead. We might have to try to track down an alternative RADIUS library to use for this extension, if one exists - on the whole, I think RADIUS is being pretty well replaced with SSO technologies like SAML and OpenID, so the interest in generating a new library seems pretty low. For the moment you'll have to pick a different protocol set to use - if you're going to tunnel inside EAP-TTLS, use PAP, perhaps, or maybe use EAP-TLS which doesn't tunnel another protocol. -Nick --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
