Extension Questions

["Fertig, Brian" <br...@philips.com>]

Greetings!

  Im looking to setup Guacamole for 2FA.  I have setup multiOTP and would like to see if its possible to have Guacamole use LDAP for user component and then multiOTP (radius) for the 2nd factor piece.  Is this possible?  Can someone direct me to documentation on how to setup the environment this way?   I have the documentation for LDAP just looking for radius/TOTP documentation.

Best regards,

Brian Fertig
Tools Solutions Architect


________________________________
The information contained in this message may be confidential and legally protected under applicable law. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message.

RE: Extension Questions

["Fertig, Brian" <br...@philips.com>]

Nick hey thanks for the info.  In the past I have done LDAP/Radius for 2FA so I was going off of history.  If we can make it work that’s awesome.  The reason I am citing multiOTP is I have it setup in my environment already for some simple 2FA.  I would prefer my users to not have to have another token to auth Guacamole.  By using multiOTP they have one token to auth into the whole environment.  I will dig up some more information on multiOTP and see if I can find any documentation on the radius module.  I am running bleeding edge.  I installed it last night and it seems to be working ok.


Brian


From: Nick Couchman [mailto:vnick@apache.org]
Sent: Friday, April 6, 2018 9:40 AM
To: user@guacamole.apache.org
Subject: Re: Extension Questions

On Fri, Apr 6, 2018 at 8:59 AM, Fertig, Brian <br...@philips.com>> wrote:
Greetings!

  Im looking to setup Guacamole for 2FA.  I have setup multiOTP and would like to see if its possible to have Guacamole use LDAP for user component and then multiOTP (radius) for the 2nd factor piece.  Is this possible?  Can someone direct me to documentation on how to setup the environment this way?   I have the documentation for LDAP just looking for radius/TOTP documentation.


The RADIUS extension has not been officially released, yet, so the documentation is not on the web site.  You can check out the latest guacamole-client git repo and build it with the "-Plgpl-extensions" flag to build the RADIUS module.  If you do that you'll also need to check out the latest guacamole-server code and build and use that.  We're actively working toward a 1.0.0 release, which will include this (and many, many more) changes.  If you need the documentation for the RADIUS module you'll need to check out the guacamole-manual git repo and build that manual, and you can find the documentation for RADIUS.

However, I will caution that, based on what you've said, I don't think LDAP + RADIUS is actually what you want to do.  The way I tested 2FA with RADIUS in Guacamole was using LinOTP + FreeRADIUS, and the authentication was done entirely through RADIUS.  If you're looking to add a second factor to LDAP authentication for Guacamole, and you want to do it through something like multiOTP, you probably want to set up multiOTP to authenticate first with LDAP and then move on to the second factor - if you rely on Guacamole to do both LDAP and RADIUS, LDAP is going to succeed and log the user in and won't know to move on to RADIUS.

Alternatively you can use the recently-merged guacamole-auth-totp module to do this inside Guacamole, and you should be able to layer the modules such that LDAP can do the primary authentication and then the TOTP module will prompt for the second factor.  I think Mike is still working documentation for this module, so you'll have to go back through the mailing list and find documentation on how to use it, but it should eliminate the need to do RADIUS authentication for Guacamole unless you're using RADIUS for other stuff in your environment.

-Nick

________________________________
The information contained in this message may be confidential and legally protected under applicable law. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message.

Re: Extension Questions

[Nick Couchman <vn...@apache.org>]

On Fri, Apr 6, 2018 at 8:59 AM, Fertig, Brian <br...@philips.com>
wrote:

> Greetings!
>
>
>
>   Im looking to setup Guacamole for 2FA.  I have setup multiOTP and would
> like to see if its possible to have Guacamole use LDAP for user component
> and then multiOTP (radius) for the 2nd factor piece.  Is this possible?
> Can someone direct me to documentation on how to setup the environment this
> way?   I have the documentation for LDAP just looking for radius/TOTP
> documentation.
>
>
>

The RADIUS extension has not been officially released, yet, so the
documentation is not on the web site.  You can check out the latest
guacamole-client git repo and build it with the "-Plgpl-extensions" flag to
build the RADIUS module.  If you do that you'll also need to check out the
latest guacamole-server code and build and use that.  We're actively
working toward a 1.0.0 release, which will include this (and many, many
more) changes.  If you need the documentation for the RADIUS module you'll
need to check out the guacamole-manual git repo and build that manual, and
you can find the documentation for RADIUS.

However, I will caution that, based on what you've said, I don't think LDAP
+ RADIUS is actually what you want to do.  The way I tested 2FA with RADIUS
in Guacamole was using LinOTP + FreeRADIUS, and the authentication was done
entirely through RADIUS.  If you're looking to add a second factor to LDAP
authentication for Guacamole, and you want to do it through something like
multiOTP, you probably want to set up multiOTP to authenticate first with
LDAP and then move on to the second factor - if you rely on Guacamole to do
both LDAP and RADIUS, LDAP is going to succeed and log the user in and
won't know to move on to RADIUS.

Alternatively you can use the recently-merged guacamole-auth-totp module to
do this inside Guacamole, and you should be able to layer the modules such
that LDAP can do the primary authentication and then the TOTP module will
prompt for the second factor.  I think Mike is still working documentation
for this module, so you'll have to go back through the mailing list and
find documentation on how to use it, but it should eliminate the need to do
RADIUS authentication for Guacamole unless you're using RADIUS for other
stuff in your environment.

-Nick