Thanks Peter I will check this out
On Wed, Sep 13, 2023, 4:06 PM <p.bod...@centrum.cz> wrote: > Hi Vikash, > > > > congrats to making it finally work. > > > > Regarding what you write about the bouncycastle.jar, this is an > interesting "plot twist", because I wouldn't expect this library would > relate to the connection issues you've reported lastly. Also, as I > described before, I wouldn't even expect any bouncycastle.jar (bcprov.jar) > be present in the cas.war, unless explicitly specified. But yeah, one > always doesn't hit the target... ;) > > > > > Could you suggest how we can add multiple inet address for RSA (edit: > you surely mean RADIUS here). > > > > Like how the property needs to be configured > This doesn't seem to be currently possible - you can define just one > address for RADIUS. If you need multiple addresses, you would have to > override the bean method *public BeanContainer<RadiusServer> > radiusTokenServers* from the > *RadiusTokenAuthenticationEventExecutionPlanConfiguration* class - in its > source code > <https://github.com/apereo/cas/blob/v6.6.10/support/cas-server-support-radius-mfa/src/main/java/org/apereo/cas/config/support/authentication/RadiusTokenAuthenticationEventExecutionPlanConfiguration.java#L65>, > you can see, based on the documented CAS / RADIUS properties, it creates > (logically) just one RadiusServer instance and puts it to the resulting > list. > Regards > Petr > > ______________________________________________________________ > > Od: "Vikash Chandra Ansh" <vikasharnav0...@gmail.com> > > Komu: "Petr Bodnár" <p.bod...@centrum.cz>, "CAS Community" < > cas-user@apereo.org> > > Datum: 13.09.2023 11:16 > > Předmět: Re: [cas-user] Radius -MFA in cas 6.6.8 > > > Hi All, > I am able to connect RSA and get myself authenticated. The issue was with > bouncycastle jar. I have added the dependency explicitly and removed the > old version manually to resolve the issue. > Hi Peter > Could you suggest how we can add multiple inet address for RSA . > Like how the property needs to be configured > Thanks and regards > Vikash Chandra > > On Thu, Sep 7, 2023, 9:14 AM Vikash Chandra Ansh < > vikasharnav0...@gmail.com> wrote: > >> Hi All, >> I have checked everything from my end. But still no luck. >> Misagh could.you please share your thoughts. It will be quite helpful >> Thanks and regards >> Vikash Chandra >> >> On Wed, Aug 30, 2023, 2:37 AM Vikash Chandra Ansh < >> vikasharnav0...@gmail.com> wrote: >> >>> It's Network team >>> >>> On Wed, Aug 30, 2023, 2:03 AM <p.bod...@centrum.cz> wrote: >>> >>>> Hi there, >>>> >>>> >>>> >>>> what does "NW" stand for? >>>> >>>> >>>> >>>> According to >>>> https://serverfault.com/questions/35218/in-windows-using-the-command-line-how-do-you-check-if-a-remote-port-is-open, >>>> they recommend either to use Portqry (download from >>>> https://www.microsoft.com/en-us/download/details.aspx?id=17148&6B49FDFB-8E5B-4B07-BC31-15695C5A2143=1, >>>> or there is also an UI version) or "a port of netcat" (download probably >>>> from https://eternallybored.org/misc/netcat/ and notice the remark >>>> about antiviruses...). I would probably go with the Portqry. >>>> >>>> >>>> >>>> I don't use these tools myself (commonly testing just TCP connections), >>>> so thanks in advance to let me know about the results... :) >>>> >>>> >>>> >>>> Petr >>>> >>>> >>>> >>>> ______________________________________________________________ >>>> > Od: "Vikash Chandra Ansh" <vikasharnav0...@gmail.com> >>>> > Komu: "Petr Bodnár" <p.bod...@centrum.cz> >>>> > Datum: 29.08.2023 22:05 >>>> > Předmět: Re: [cas-user] Radius -MFA in cas 6.6.8 >>>> > >>>> Hi Peter, >>>> Yes transport type is UPD in our case. But however I was not able to >>>> test UDP ports on my Windows machine. I have asked my NW team, and they >>>> have confirmed that 1812 and 1813 has been enabled at destination end for >>>> my machine. >>>> Is there any way to test in windows machine >>>> >>>> On Wed, Aug 30, 2023, 1:28 AM Vikash Chandra Ansh < >>>> vikasharnav0...@gmail.com> wrote: >>>> >>>>> Thanks for the clarification Peter. >>>>> So you are saying that the username and password in canPing method >>>>> radius server's inet address and shared secret respectively. >>>>> >>>>> On Wed, Aug 30, 2023, 1:15 AM Petr Bodnár <p.bod...@centrum.cz> wrote: >>>>> >>>>>> Hi Vikash, >>>>>> I'm a bit confused now - because what you describe about pinging a >>>>>> Radius server seems to be just fine: you can see in the source code of >>>>>> *RadiusMultifactorAuthenticationProvider* (here >>>>>> <https://github.com/apereo/cas/blob/v6.6.8/support/cas-server-support-radius-core-mfa/src/main/java/org/apereo/cas/adaptors/radius/authentication/RadiusMultifactorAuthenticationProvider.java#L53>) >>>>>> that the pinging method does send a *testing *username and password >>>>>> (i.e. not the ones from the login form) and it only fails when one of >>>>>> *TimeoutException* or *SocketTimeoutException* is thrown from all >>>>>> the setup Radius servers. >>>>>> So maybe your Radius server (host and/or port) is just not accessible >>>>>> from your CAS server? You hint above that you are using the default >>>>>> "cas.authn.mfa.radius.client.transport-type=UDP" and you have the >>>>>> appropriate UDP ports open - can you confirm this e.g. by using one of >>>>>> the >>>>>> tools listed at https://www.baeldung.com/linux/udp-port-testing? >>>>>> BTW I take your message as a confirmation that adding the bcprov >>>>>> library to your CAS instance explicitly did help and you are solving >>>>>> another problem within the flow now. Feel free to correct me. >>>>>> Regards >>>>>> Petr >>>>>> On Tuesday, 29 August 2023 at 11:20:59 UTC+2 vikasha...@gmail.com >>>>>> wrote: >>>>>> >>>>>>> Hi All, >>>>>>> I have digged down the flow for Radius token MFA. >>>>>>> It is referring to a class RadiusMultifactorProvider where canPing() >>>>>>> method is called. Which further calls the RadiusServer.java where >>>>>>> authenticate method(CasRadiusResponse) is called. This method is now >>>>>>> validating username and password against the radius server. Due to this >>>>>>> reason only I am getting null flow execution. >>>>>>> Can someone suggest why this is happening as my authentication has >>>>>>> already been successful via LDAP authentication handler. It should now >>>>>>> go >>>>>>> to radius token page for token check and validation. >>>>>>> Hi Misagh, please suggest if my understanding is valid or not >>>>>>> I just want the flow where authentication is done by LDAP and 2FA >>>>>>> with Radius. Please help here >>>>>>> Thanks and regards >>>>>>> Vikash Chandra >>>>>>> >>>>>>> On Thu, Aug 24, 2023, 8:07 PM Vikash Chandra Ansh < >>>>>>> vikasha...@gmail.com> wrote: >>>>>>> >>>>>>>> Thanks, I'll check it out. >>>>>>>> >>>>>>>> On Thu, Aug 24, 2023, 8:00 PM Petr Bodnár <p.bo...@centrum.cz> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Hi Vikash, >>>>>>>>> a) regarding the *NoClassDefFoundError* , can you please try to >>>>>>>>> add the following dependency to your Gradle (or do you use Maven?) >>>>>>>>> project >>>>>>>>> configuration and see if its helps? >>>>>>>>> >>>>>>>>> https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on/1.63 >>>>>>>>> That's the library that should contain the missing >>>>>>>>> *DERObjectIdentifier* class. According to the contents of >>>>>>>>> https://github.com/apereo/cas/blob/v6.6.8/support/cas-server-support-radius-mfa/build.gradle, >>>>>>>>> it seems this library is added to the project, but only >>>>>>>>> *conditionally*, so maybe that's the reason this information >>>>>>>>> doesn't seem to get projected to the final artifact, i.e. you won't >>>>>>>>> find >>>>>>>>> the bcprov library listed e.g. on >>>>>>>>> https://mvnrepository.com/artifact/org.apereo.cas/cas-server-support-radius-mfa/6.6.10 >>>>>>>>> . >>>>>>>>> b) Regarding the bypasses, I have no clue. I can only recommend >>>>>>>>> checking the logs (with possibly increasing log level to DEBUG) and >>>>>>>>> diff >>>>>>>>> the configuration files against the CAS overlay template... >>>>>>>>> Petr >>>>>>>>> >>>>>>>>> On Tuesday, 22 August 2023 at 10:48:53 UTC+2 vikasha...@gmail.com >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> Hi All , >>>>>>>>>> One more.observation is that, I am getting authentication success >>>>>>>>>> and few multifactor authentication bypass logs in server. However I >>>>>>>>>> haven't >>>>>>>>>> added any bypass mechanism >>>>>>>>>> Please someone help here. >>>>>>>>>> Thanks & Regards >>>>>>>>>> Vikash Chandra >>>>>>>>>> >>>>>>>>>> On Mon, Aug 21, 2023, 8:19 PM Vikash Chandra Ansh < >>>>>>>>>> vikasha...@gmail.com> wrote: >>>>>>>>>> >>>>>>>>>>> Hi Peter and Ray, >>>>>>>>>>> Thanks for your input. I have added the global trigger and set >>>>>>>>>>> the value as mfa-radius. >>>>>>>>>>> Now I am getting type mismatch error. >>>>>>>>>>> Please find the logs below:- >>>>>>>>>>> Ignoring the received exception >>>>>>>>>>> (org.springframework.web.util.NestedServletException: >>>>>>>>>>> Handler dispatch falled; nested exception is >>>>>>>>>>> java.lang.NoClassDeffoundError: >>>>>>>>>>> org/bouncycastle/asn1/DEROjectidentifier) >>>>>>>>>>> due to type mismatch with handler [[ >>>>>>>>>>> FlowHandlerMapping.DefaultFlowHandler@3b873134]]> >>>>>>>>>>> 3823-03-31 13:40:47,365 ERROR >>>>>>>>>>> [org.springframework.boot.web.servlet.support.ErrorPaegfilter] >>>>>>>>>>> Forwarding >>>>>>>>>>> to error page free request [/login) due to exception >>>>>>>>>>> [org/bouncycastle/asn1/DERObjectIdentifier >>>>>>>>>>> Thanks and regards >>>>>>>>>>> Vikash >>>>>>>>>>> >>>>>>>>>>> On Fri, Aug 18, 2023, 12:21 PM Petr Bodnár <p.bo...@centrum.cz> >>>>>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>>> Vikash, >>>>>>>>>>>> as you haven't provided much details (e.g. what you actually >>>>>>>>>>>> see in the CAS UI and in CAS logs), I can only guess that maybe, >>>>>>>>>>>> you just >>>>>>>>>>>> only haven't *activated* the Radius MFA provider for example >>>>>>>>>>>> via the "*cas.authn.mfa.triggers.global.global-provider-id*" >>>>>>>>>>>> property - see >>>>>>>>>>>> https://apereo.github.io/cas/6.6.x/mfa/Configuring-Multifactor-Authentication-Triggers-Global.html >>>>>>>>>>>> as one of the available MFA triggers. >>>>>>>>>>>> Petr >>>>>>>>>>>> On Thursday, 17 August 2023 at 20:57:38 UTC+2 >>>>>>>>>>>> vikasha...@gmail.com wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Thanks Ray >>>>>>>>>>>>> My LDAP authentication is working fine . On top of it I want >>>>>>>>>>>>> Radius as 2FA, where I am struggling. >>>>>>>>>>>>> Anybody please help here >>>>>>>>>>>>> Thanks and regards >>>>>>>>>>>>> Vikash Chandra >>>>>>>>>>>>> On Thu, Aug 17, 2023, 11:24 PM Ray Bon <rb...@uvic.ca> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> Vikash, >>>>>>>>>>>>>> I have these ldap properties for cas authentication: >>>>>>>>>>>>>> cas.authn.ldap[0].type= >>>>>>>>>>>>>> cas.authn.ldap[0].ldapUrl= >>>>>>>>>>>>>> cas.authn.ldap[0].connectTimeout= >>>>>>>>>>>>>> cas.authn.ldap[0].baseDn= >>>>>>>>>>>>>> cas.authn.ldap[0].subtreeSearch= >>>>>>>>>>>>>> cas.authn.ldap[0].searchFilter= >>>>>>>>>>>>>> cas.authn.ldap[0].bindDn=cn= >>>>>>>>>>>>>> cas.authn.ldap[0].bindCredential= >>>>>>>>>>>>>> I have not used Radius, so unfamiliar with it config. >>>>>>>>>>>>>> https://apereo.github.io/cas/6.6.x/mfa/RADIUS-Authentication.html >>>>>>>>>>>>>> Ray >>>>>>>>>>>>>> On Thu, 2023-08-17 at 15:46 +0530, Vikash Chandra Ansh wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>> Notice: This message was sent from outside the University of >>>>>>>>>>>>>> Victoria email system. Please be cautious with links and >>>>>>>>>>>>>> sensitive >>>>>>>>>>>>>> information. >>>>>>>>>>>>>> Hi Ray, >>>>>>>>>>>>>> Could you please suggest what all properties need to be >>>>>>>>>>>>>> enabled to use Radius as 2FA. My primary authentication will be >>>>>>>>>>>>>> LDAP >>>>>>>>>>>>>> Thanks and Regards >>>>>>>>>>>>>> Vikash Chandra >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Thu, Aug 10, 2023, 2:27 PM Vikash Chandra Ansh < >>>>>>>>>>>>>> vikasha...@gmail.com> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>> Hi Ray, >>>>>>>>>>>>>> We have NW change in place. There is UDP connectivity from my >>>>>>>>>>>>>> cas server to radius server(unidirectional ) on port 1812 and >>>>>>>>>>>>>> 1813 . >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Wed, Aug 9, 2023, 10:29 PM Ray Bon <rb...@uvic.ca> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>> Vikash, >>>>>>>>>>>>>> Is it possible there is a network issue? >>>>>>>>>>>>>> Ray >>>>>>>>>>>>>> On Tue, 2023-08-08 at 17:20 +0530, Vikash Chandra Ansh wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>> Notice: This message was sent from outside the University of >>>>>>>>>>>>>> Victoria email system. Please be cautious with links and >>>>>>>>>>>>>> sensitive >>>>>>>>>>>>>> information. >>>>>>>>>>>>>> Hi Everyone, >>>>>>>>>>>>>> We are trying to implement radius MFA in CAS. In our case our >>>>>>>>>>>>>> primary authentication will be LDAP and then for MFA we need RSA. >>>>>>>>>>>>>> I have also added dependency as cas-server-support-radius-mfa. >>>>>>>>>>>>>> I have added the required properties like client.inet-address >>>>>>>>>>>>>> and shared-secert. >>>>>>>>>>>>>> But still I can not see any hit on the radius server. >>>>>>>>>>>>>> Can anyone please help here. >>>>>>>>>>>>>> Cas version I am using is 6.6.8. >>>>>>>>>>>>>> Thanks and regards >>>>>>>>>>>>>> Vikash Chandra >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> - Website: https://apereo.github.io/cas >>>>>>>>>>>>>> - Gitter Chatroom: https://gitter.im/apereo/cas >>>>>>>>>>>>>> - List Guidelines: https://goo.gl/1VRrw7 >>>>>>>>>>>>>> - Contributions: https://goo.gl/mh7qDG >>>>>>>>>>>>>> --- >>>>>>>>>>>>>> You received this message because you are subscribed to the >>>>>>>>>>>>>> Google Groups "CAS Community" group. >>>>>>>>>>>>>> To unsubscribe from this group and stop receiving emails from >>>>>>>>>>>>>> it, send an email tocas-user+u...@apereo.org. >>>>>>>>>>>>>> To view this discussion on the web visit >>>>>>>>>>>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/ebab25780f77a0697d2191e2fc4e466d00d59f56.camel%40uvic.ca >>>>>>>>>>>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/ebab25780f77a0697d2191e2fc4e466d00d59f56.camel%40uvic.ca?utm_medium=email&utm_source=footer> >>>>>>>>>>>>>> . >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> -- >>>>>>>>>>>>>> - Website: https://apereo.github.io/cas >>>>>>>>>>>>>> - Gitter Chatroom: https://gitter.im/apereo/cas >>>>>>>>>>>>>> - List Guidelines: https://goo.gl/1VRrw7 >>>>>>>>>>>>>> - Contributions: https://goo.gl/mh7qDG >>>>>>>>>>>>>> --- >>>>>>>>>>>>>> You received this message because you are subscribed to the >>>>>>>>>>>>>> Google Groups "CAS Community" group. >>>>>>>>>>>>>> To unsubscribe from this group and stop receiving emails from >>>>>>>>>>>>>> it, send an email to cas-user+u...@apereo.org. >>>>>>>>>>>>> >>>>>>>>>>>>> To view this discussion on the web visit >>>>>>>>>>>>>> https://groups.google.com/a/apereo.org/d/msgid/cas-user/42932cfeeb2c1bfac9ca42c058f6017b46ab6196.camel%40uvic.ca >>>>>>>>>>>>>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/42932cfeeb2c1bfac9ca42c058f6017b46ab6196.camel%40uvic.ca?utm_medium=email&utm_source=footer> >>>>>>>>>>>>>> . >>>>>>>>>>>>> >>>>>>>>>>>>> > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to a topic in the > Google Groups "CAS Community" group. > To unsubscribe from this topic, visit > https://groups.google.com/a/apereo.org/d/topic/cas-user/YfgtoCi4Erk/unsubscribe > . > To unsubscribe from this group and all its topics, send an email to > cas-user+unsubscr...@apereo.org. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BdrvxgJ5h5KY0KE%2BwQ0%2BrnTwSY3M06wAGtUPPu4tnp0%2BkA5GA%40mail.gmail.com > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BdrvxgJ5h5KY0KE%2BwQ0%2BrnTwSY3M06wAGtUPPu4tnp0%2BkA5GA%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to cas-user+unsubscr...@apereo.org. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/20230913121336.FF0CC15C%40centrum.cz > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/20230913121336.FF0CC15C%40centrum.cz?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2BdrvxgjCE%3DrL2UXYOz1xbasS%3Dzz7Qpvud6ba9jnTWnTr4tFTg%40mail.gmail.com.
