CAS 6.6 - RADIUS MFA Integration

67 views Asked by At

I am trying to integrate CAS 6.6 via RADIUS for 1st factor and 2-factor authentications.

I am getting the below message even after entering the correct OTP and displays the following message in UI OTP page.

Credentials are rejected/invalid and authentication attempt has failed.

2023-11-24 00:36:51,382 WARN \[org.apereo.cas.authentication.policy.AllAuthenticationHandlersSucceededAuthenticationPolicy\] - \<Number of successful authentications, \[2\], does not match the number of authentication handlers, \[1\].\>
2023-11-24 00:36:51,382 WARN \[org.apereo.cas.authentication.policy.AllAuthenticationHandlersSucceededAuthenticationPolicy\] - \<Number of successful authentications, \[2\], does not match the number of authentication handlers, \[1\].\>
2023-11-24 00:36:51,383 ERROR \[org.apereo.cas.authentication.DefaultAuthenticationManager\] - \<\[AuthenticationException\]: \[Unable to satisfy authentication policy AllAuthenticationHandlersSucceededAuthenticationPolicy\]\>
2023-11-24 00:36:51,384 INFO \[org.apereo.inspektr.audit.support.Slf4jLoggingAuditTrailManager\] - \<Audit trail record BEGIN
WHO: 1234
WHAT: \[RadiusTokenCredential\]
ACTION: AUTHENTICATION_FAILED
APPLICATION: CAS
WHEN: Fri Nov 24 00:36:51 AST 2023

Below is my configuration:

`cas.authn.accept.enabled=false
cas.authn.policy.all-handlers.enabled=true
cas.authn.policy.all.enabled=true
cas.authn.radius.client.inet-address=x.x.x.x
cas.authn.radius.client.shared-secret=1234567890
cas.authn.radius.client.socket-timeout=30
cas.authn.radius.server.protocol=PAP
cas.authn.radius.server.retries=1

cas.authn.mfa.radius.server.protocol=PAP
cas.authn.mfa.radius.client.shared-secret=1234567890
cas.authn.mfa.radius.client.inet-address=x.x.x.x
cas.authn.mfa.radius.allowed-authentication-attempts=10
cas.authn.mfa.radius.id=mfa-radius
cas.authn.mfa.triggers.global.globalProviderId=mfa-radius


cas.service-registry.core.init-from-json=false
cas.service-registry.json.location=file:C:\etc\cas\services`

I was expecting it to complete the authentication sucessfully

1

There are 1 answers

0
Saleem On

Had to make the following changes to work in my RADIUS Server.

  1. Removed cas.authn.policy.all-handlers.enabled=true parameter
  2. Returned Access_Reject when OTP is wrong rather than Access_Challenge