You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@guacamole.apache.org by Santiago Garcia Mantinan <ma...@manty.net> on 2020/04/28 12:47:06 UTC

Sugestion to add radius as a second authentication factor

Hi!

Reading the doc I found out that radius is available as a password
verification method, and that there are several second authentication
factors available, however I haven't seen the usage of radius as a second
factor of authentication working like the TOTP extension works.

I believe that adding radius as a second factor allows one to use the
backend of his choice through the radius without having to implement such
factor directly on guacamole.

I'd like to hear what you think of this, maybe as you already have radius
auth implemented this is an easy job and provides enough functionality for
ot te be implemented on future versions?

Thanks in advance, regards.
-- 
Manty/BestiaTester -> http://manty.net

Re: Sugestion to add radius as a second authentication factor

Posted by Nick Couchman <vn...@apache.org>.

On Tue, Apr 28, 2020 at 8:47 AM Santiago Garcia Mantinan <ma...@manty.net>
wrote:

> Hi!
>
> Reading the doc I found out that radius is available as a password
> verification method, and that there are several second authentication
> factors available, however I haven't seen the usage of radius as a second
> factor of authentication working like the TOTP extension works.
>
> I believe that adding radius as a second factor allows one to use the
> backend of his choice through the radius without having to implement such
> factor directly on guacamole.
>
> I'd like to hear what you think of this, maybe as you already have radius
> auth implemented this is an easy job and provides enough functionality for
> ot te be implemented on future versions?
>
>
The RADIUS extension already supports the Challenge/Response method that
many RADIUS servers implement for adding a second factor to
authentication.  This might be a little different than the use case you're
thinking about, with RADIUS as just the second factor, but it does work for
2FA authentication.  I have configurations of Guacamole currently that use
both LinOTP + RADIUS, as well as Azure MFA + RADIUS, to do two factor
authentication.  In the first case, with LinOTP, I use a PIN plus the
Google Authenticator app with a six digit number.  For the second case,
with Azure MFA, I log in with AD credentials and then receive the prompt in
the Azure authenticator app on my phone.

-Nick