Dear all I am trying out various authentication mechanisms on a test box. TOTP was a doddle to set up with LDAP to an Active Directory LDAP source. I then moved on to RADIUS as a second factor. I am using PrivacyIDEA to drive a FreeRADIUS with which I can use radclient to authenticate successfully. I am using a push token, so an app on my phone gets pinged to allow or deny an attempt to login.
I am running 1.5.5 and my extensions directory currently has .jars for jdbc-postgresql, auth-ldap and auth-radius (and one for branding, that fiddles with the login CSS) If I get my username and AD password correct I get logged in, regardless of RADIUS. If I get my username correct but put rubbish in for my password and get RADIUS right, then I get logged in. So it seems I have managed to get myself in a situation where I have two forms of auth instead of multi factor auth. I have just verified this, twice: Wrong username and wrong password - no access Correct username + correct LDAP password causes a prompt on phone ... ignore it and I get logged in Correct username + wrong LDAP password, causes a prompt on phone ... accept prompt and I get logged in There doesn't seem to be much logging from the RADIUS extension which makes it hard to debug. I get that there is a license incompatibility for the RADIUS plugin - Apache vs GPL. I have no idea if that is a factor. I have set this in guacamole.properties: extension-priority: branding, radius, postgresql, ldap, * So my end goal is to fire up the Guacamole login page, enter my AD username and password and then get pinged by the app and press the accept button. If any part of that workflow fails, then the session should fail. Cheers Jon --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
