Hello,
Sounds like you are wanting CAC/PIV for identity access credential
management (iCAM).
This is easily done with NGINX this prompts for CAC (Smart card access)
once reader loads card in to session NGiNX will verify the cert and if
valid you may proceed.
Great thing is this is NGINX function and you can still use SSO/CAS or
LDAP with Guacamole.
Hope this helps!
PATH:/etc/nginx/sites-enabled/default
listen 443 ssl default_server;
server_name localhost;
server_tokens off;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_certificate /etc/nginx/ssl/YOURDOMAIN-bundle.crt ;
ssl_certificate_key
/etc/nginx/ssl/private/YOURDOMAIN_priv.key;
ssl_ciphers
'TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384';
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ecdh_curve secp521r1:secp384r1:prime256v1;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_session_tickets off;
add_header Referrer-Policy "no-referrer";
add_header Strict-Transport-Security "max-age=15768000;
includeSubDomains" always;
add_header X-Frame-Options "";
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
proxy_hide_header Server;
proxy_hide_header X-Powered-By;
proxy_hide_header X-Frame-Options;
client_body_timeout 10;
client_header_timeout 10;
* #CAC client Certificate Settings
ssl_client_certificate /etc/nginx/ssl/dod/dodpki.pem;
ssl_verify_client on;
ssl_verify_depth 2;*
error_page 400 496 /400.html; #Custom 400 496 page
location = /400.html {
*Thank You*
Sean Hulbert
*Security Centric Inc.*
A Cybersecurity Virtualization Enablement Company
/StormCloud Gov, Protected CUI Environment!/
Industry's most secure CMMC/iTAR virtual desktops!
*/FedRAMP MIL4 in process/*
System Award Management
*CAGE: 8AUV4*
*SAM ID: UMJLJ8A7BMT3*
AFCEA San Francisco Chapter President
If you have heard of a hacker by name, he/she has failed, fear the
hacker you haven’t heard of!
CONFIDENTIALITY NOTICE: This communication with its contents may contain
confidential and/or legally privileged information. It is solely for the
use of the intended recipient(s). Unauthorized interception, review, use
or disclosure is prohibited and may violate applicable laws including
the Electronic Communications Privacy Act. If you are not the intended
recipient, please contact the sender and destroy all copies of the
communication. Content within this email communication is not legally
binding as a contract and no promises are guaranteed unless in a formal
contract outside this email communication.
igitur qui desiderat pacem, praeparet bellum!!!
Epitoma Rei Militaris
On 1/22/2025 11:51 PM, Bhupender wrote:
Dear Support Team,
I hope this email finds you well. I am encountering issues with smart
card integration in our Guacamole deployment and would appreciate your
assistance.
*Environment Details:*
* *Guacamole Version:* 1.5.4
* *OS:* Ubuntu 22.04
* *Smart Card Reader:* ACS ACR39U ICC Reader
* *Card Type:* Siemens SLE 4432/42
* *FreeRDP Version:* 2.6.1
*Key Issue:*
Smart card authentication works with direct xfreerdp connections
but *fails when connecting through Guacamole*. The smart card
reader is detected at system level but not being redirected
through the Guacamole connection.
*Working Configuration:*
bash
Copy
|# Direct xfreerdp connection (WORKING): xfreerdp
/v:<RDP-SERVER>:<PORT> /u:<USERNAME> /smartcard|
*Current Implementation:*
1. *Guacamole Properties:*
properties
Copy
|rdp.security: nla rdp.enable-smartcard: true
rdp.smartcard-readers: ACS ACR39U ICC Reader 00 00
rdp.enable-drive: true rdp.create-drive-path: true
rdp.ignore-cert: true|
*Steps Completed:*
1. ✅ Recompiled guacamole-server with smart card support:
bash
Copy
|CFLAGS="-I/usr/include/PCSC -I/usr/include/freerdp2
-DFREERDP_SMARTCARD_EMULATE=1" LDFLAGS="-lpcsclite -lfreerdp2"|
2. ✅ Installed all required dependencies
3. ✅ Configured proper system permissions
4. ✅ Verified smart card detection
5. ✅ Tested multiple connection configurations
*Current Status:*
* ✅ System properly detects smart card reader
* ✅ Direct xfreerdp connections work
* ❌ Guacamole fails to redirect smart card
* ❌ Basic RDP connectivity affected after changes
*Critical Questions:*
1. *Configuration:* Are there specific parameters we're missing?
2. *Debugging:* What are the recommended steps to identify the
redirection issue?
3. *Logging:* Is there additional logging we can enable for smart
card handling?
*Relevant Logs:*
Copy
|Jan 22 12:49:17 guacd[xxxx]: Security mode: NLA Jan 22 12:49:37
guacd[xxxx]: Connected to RDPDR 1.13 as client 0x0017 Jan 22 12:49:38
guacd[xxxx]: RDPDR user logged on|
*Additional Information:*
* Smart card is detected by |pcsc_scan|
* All system services are running
* Proper permissions are set for guacd user
I can provide any additional technical details or logs if needed. Your
guidance on resolving this issue would be greatly appreciated.
Thank you for your time and assistance.
Best regards,
Bhupender
