You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@guacamole.apache.org by "Colin Gordon (JIRA)" <ji...@apache.org> on 2017/06/05 19:03:04 UTC
[jira] [Commented] (GUACAMOLE-197) Implement Support for RADIUS
Authentication
[ https://issues.apache.org/jira/browse/GUACAMOLE-197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16037410#comment-16037410 ]
Colin Gordon commented on GUACAMOLE-197:
----------------------------------------
Hello, I love that Guacamole is including RADIUS auth. I routinely use OpenOTP as a 2factor RADIUS server, and enabling Guacamole as a RADIUS client will make it eminently more useful for my purposes.
One additional feature I hope this project may consider adding is the ability to filter which configuration a user has access to upon authentication. With LDAP, Guacamole has the ability to provide a user access to a configuration based on which LDAP group the user is a member of (see here https://guacamole.incubator.apache.org/doc/0.9.3/gug/ldap-auth.html). This can be done with RADIUS as well, but requires the RADIUS client implementation to "look" at attributes that are returned by the RADIUS server.
Many vendors implement this feature via vendor-specific attributes. This would require Guacamole to have its own RADIUS dictionary. However, Guacamole could choose to simple check the RADIUS Class attribute, and allow the user access to a configuration that matches the string within the Class attribute (see here: https://tools.ietf.org/html/rfc2865#page-46). This would allow a user logging in to view the "admins" configuration, if the Class attribute return "admins" (in FreeRADIUS, "Class := "admins"). You could even expand it to allow access to multiple configurations by using a delimiter ("Class := "admins;RDPUsers;SSHUsers").
Anyway, thanks for RADIUS support!
> Implement Support for RADIUS Authentication
> -------------------------------------------
>
> Key: GUACAMOLE-197
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-197
> Project: Guacamole
> Issue Type: Improvement
> Components: guacamole, guacamole-client
> Reporter: Nick Couchman
> Assignee: Nick Couchman
> Priority: Minor
> Fix For: 0.9.14-incubating
>
>
> Working on implementing a RADIUS authentication module - guacamole-auth-radius. The basic implementation is completed - with a basic PAP or CHAP RADIUS server, the authentication succeeds and the user is logged in.
> I'm running into an issue, though, trying to implement Challenge/Response in RADIUS. I have my RADIUS server configured to talk to LinOTP for MFA/2FA, and RADIUS sends the AccessChallenge package back, asking for the second factor. My issue is in my continual failure to grasp the connection between the servlet side and the AngularJS web application. I've copied the Duo authentication code and tried to morph it into something that will present another box for the RADIUS challenge, but I can't get my controller function to actually fire.
> Once that is working, I'd like to support other RADIUS authentication protocols, like EAP-TLS and EAP-TTLS, so there's a little more work to be done, but right now I'm focusing on the basic protocols and the challenge/response.
> Will have a repo posted here in a moment for working on this.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)