OK, I've been poking at this more, and it looks like I misunderstood the flow, which is not surprising to me. :)
Apparently what we're seeing is the "ping" that is being done in RadiusTokenAuthenticationHandler.canPing(). The code explicitly sends the classname as it's username and password, so the behavior I reported previously is "correct". What we're trying to do is to use Microsoft's Azure MFA (since we are rolling that out for our O365, etc.) via Radius. We've got the local Radius bits all set up and tested via other means. So, I think I'm into new issue for feature-request territory, yes? I just wanted to post the follow-up in case others were looking at this same thing. I'll take a look at the contribution guide and get something started. Thanks, Tim From: <[email protected]> on behalf of Tim McLaughlin <[email protected]> Reply-To: "[email protected]" <[email protected]> Date: Tuesday, April 25, 2017 at 15:47 To: "[email protected]" <[email protected]> Subject: [cas-user] CAS 5.0.x and RADIUS MFA AccountName Hello, I am trying to set up RADIUS MFA. Primary authentication (via LDAP) works fine, but while debugging the second-factor we're finding that the User-Name attribute in the Access-Request is "RadiusTokenAuthenticationHandler" instead of the logged-in username. My config looks like this: cas.authn.mfa.radius.failoverOnAuthenticationFailure=false cas.authn.mfa.radius.failoverOnException=false cas.authn.mfa.radius.client.socketTimeout=3 cas.authn.mfa.radius.client.sharedSecret=supersecret cas.authn.mfa.radius.client.authenticationPort=1812 cas.authn.mfa.radius.client.accountingPort=1813 cas.authn.mfa.radius.client.inetAddress=x.x.x.x cas.authn.mfa.radius.server.retries=3 cas.authn.mfa.radius.server.protocol=PAP cas.authn.mfa.radius.server.nasIpAddress=x.x.x.x We are pretty sure that the policies on the radius server are set up correctly, but don't know how to do anything with the user "RadiusTokenAuthenticationHandler". Is there a way that we can turn on better logging (not sure which classes hold what we need) or can we somehow specify what attribute the MFA class should use for the AccountName? Sorry this is kind of vague -- I'm hoping the above will help you help me formulate better questions. :) Thanks, Tim -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/C653A7A6-BE35-4166-BFB8-DB7BD4E749FD%40wwu.edu<https://groups.google.com/a/apereo.org/d/msgid/cas-user/C653A7A6-BE35-4166-BFB8-DB7BD4E749FD%40wwu.edu?utm_medium=email&utm_source=footer>. -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/EA713E1F-05EF-41B5-A813-10798392C751%40wwu.edu.
