Authenticate with RADIUS and LDAP and database

[drhy <da...@outlook.com>]

Is it possible to use three authentication extensions, in order ?

1. initially authenticate using RADIUS, via Windows Network Policy Server to
trigger Azure MFA,
2. then if authenticated by RADIUS, to use LDAP to lookup Groups from Active
Directory,
3. then finally match one of the Active Directory Groups against a
configured Group held by a database (eg MySQL, Postgres), with the database
Group resulting in the user being presented with a list of preconfigured
connections and permissions connecting.

If the RADIUS authentication failed then under this scenario the user
wouldn't be able to connect, and similarly if the Group/s from Active
Directory didn't match any in the database, then the user wouldn't be able
to connect.

Thanks for the help.

-David



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org

Re: Authenticate with RADIUS and LDAP and database

[drhy <da...@outlook.com>]

Hi Nick
Thanks.
I will give it a whirl with 1.1.0 an report back.
-David



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org

Re: Authenticate with RADIUS and LDAP and database

[Nick Couchman <vn...@apache.org>]

On Wed, Sep 11, 2019 at 9:17 PM drhy <da...@outlook.com> wrote:

> Is it possible to use three authentication extensions, in order ?
>
> 1. initially authenticate using RADIUS, via Windows Network Policy Server
> to
> trigger Azure MFA,
> 2. then if authenticated by RADIUS, to use LDAP to lookup Groups from
> Active
> Directory,
> 3. then finally match one of the Active Directory Groups against a
> configured Group held by a database (eg MySQL, Postgres), with the database
> Group resulting in the user being presented with a list of preconfigured
> connections and permissions connecting.
>
> If the RADIUS authentication failed then under this scenario the user
> wouldn't be able to connect, and similarly if the Group/s from Active
> Directory didn't match any in the database, then the user wouldn't be able
> to connect.
>
> I suspect this will not work as you want it, for the following reason:
- If RADIUS authentication happens, first, it will enforce MFA and
ultimately succeed, but then the LDAP module won't actually try to bind
with the username/password.  I could be wrong about this - maybe it will go
ahead and try - but I think a fully successful authentication by the RADIUS
module would result in a login without any of the other modules actually
trying to authenticate.  Because the LDAP module bases its searches on the
user who is logging in, if the user is successfully authenticated I'm not
sure it'll actually try it.
- If LDAP authentication happens, first, then LDAP will succeed and RADIUS
will not be tried, so MFA will not be enforced.

It may be worth messing around with it to see if any of those combinations
work - including changing the ordering of how the authentication modules
load - but I'm not optimistic it'll work exactly how you want it to.

-Nick