Hi,

I am interested in other people's experiences with using acegi security to authenticate users against a RADIUS server (running RSA SecurId in the back). The thing that gives me some concern is the "access-challenge" type interaction that is sometimes involved. A typical situation might involve asking the user to enter the next token that they see on their SecurId card.

Google search yeilds jradiusclient and specifically its JAAS RadiusLoginModule. Any experience with handing off authentication to JAAS?

Anyone else done anything similar? Any code that you can share?

Would be interested in using latest versions (1.0.3 for acegisecurity and 2.0.3 for spring).

Thanks in Advance,
--
Haroon

Hi,

I am interested in other people's experiences with using acegi security to authenticate users against a RADIUS server (running RSA SecurId in the back). The thing that gives me some concern is the "access-challenge" type interaction that is sometimes involved. A typical situation might involve asking the user to enter the next token that they see on their SecurId card.



So, I have made some progress with the integration with RADIUS. I have a class called RadiusUserDetailsAuthenticationProvider which extends AbstractUserDetailsAuthenticationProvider. I have implemented the abstract method retrieveUser(String username,
UsernamePasswordAuthenticationToken authentication) where the heavy lifiting is done by connecting to RADIUS by using RadiusClient from jradius.org.

The usual flow inside this method is to setup some attributes for making the radius request. The following 2 scenarios work perfectly.

1) Received reply AccessAccept (credentials accepted)
2) Received reply AccessReject (credentials rejected)

I'm having problems with a 3rd scenario, where the reply is of type AccessChallenge. This reply also has some state attributes (byte[] of size 12). Upon receiving such a challenge, the user is supposed to respond to the challenge by waiting till the token changes on the SecurId card and responding with the next token. Not only that, my code is now supposed to make a request to the radius server by including those original bytes from the state attribute.

I am wondering what would be a good strategy to:

a) recognize that this request is in response to an earlier challenge
b) remember the byte[] from earlier and include it into the new request

Any ideas?

Regards,
--
Haroon

I am wondering what would be a good strategy to:

a) recognize that this request is in response to an earlier challenge
b) remember the byte[] from earlier and include it into the new request

Any ideas?

Regards,
--
Haroon

So, I ended up extending the interface SecurityContext and implemented my own custom SecurityContext which I registered with org.acegisecurity.context.HttpSessionContextIntegr ationFilter. This custom SecurityContext was then used to remember the RADIUS state attribute and to also remember whether this request is in response to a challenge.

I will share the complete code when I'm 100% finished with the implementation.

I will share the complete code when I'm 100% finished with the implementation.

I think I forgot to make a follow up to this post. In any case, find attached the files necessary to get RADIUS authentication running. Since there are no unit tests with them, I hardly expect these to be included into spring but if anyone else wants to use them permission is hereby granted (with no implied warranty, usual disclaimers, etc....).

To get it running, your spring applicationContext.xml file should have something similar to the following to set up the security context:

<bean id="httpSessionContextIntegrationFilter" class="org.acegisecurity.context.HttpSessionContextIntegr ationFilter">
<property name="context" value="ca.utoronto.sis.rxp.security.RadiusSecurityContext Impl"/>
</bean>

and setup the authenticationmanager:
<bean id="authenticationManager" class="org.acegisecurity.providers.ProviderManager">
<property name="providers">
<list>
<ref bean="${radiusAuthenticationProvider}"/>
</list>
</property>
</bean>


where radiusAuthenticationProvider is something like:

<bean id="radiusAuthenticationProvider" class="ca.utoronto.sis.rxp.security.RadiusUserDetailsAuth enticationProvider">
<property name="radiusHost" value="${radius.host}"/>
<property name="sharedSecret" value="${radius.secret}"/>
<property name="messageSource" ref="messageSource"/>
<property name="rolesManager" ref="${rolesManager}"/>
</bean>

<bean id="messageSource" class="org.springframework.context.support.ResourceBundle MessageSource">
<property name="basename" value="radiusMessages"/>
</bean>


Hope this helps someone. If you need some more details, send a reply to this post and hopefully the email notification will reach me.

Just in case someone is still following up, I used jradius from the following svn repository:

http://dev.coova.org/svn/cjradius

At the time of writing, I used the following diff to build the jradius jar.Index: core/pom.xml
================================================== =================
--- core/pom.xml (revision 17)
+++ core/pom.xml (working copy)
@@ -20,7 +20,7 @@
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
- <version>2.0-m4</version>
+ <version>2.0.4</version>
</dependency>

<dependency>
@@ -32,7 +32,7 @@
<dependency>
<groupId>commons-configuration</groupId>
<artifactId>commons-configuration</artifactId>
- <version>1.3</version>
+ <version>1.4</version>
</dependency>

<dependency>
@@ -59,4 +59,4 @@
<directory>../target</directory>
</build>

-</project>
\ No newline at end of file
+</project>

Great work!
Hi, I found this while looking for information on adding RADIUS to the openNMS project. I think that they use acegisecurity. I confess I am not a coder by trade, but a pretty good detective so I thought I would give it a shot. Just wondering how far you got on this. I notice that the openNMS community is looking for a RADIUS modult too.

Great work!
Hi, I found this while looking for information on adding RADIUS to the openNMS project. I think that they use acegisecurity. I confess I am not a coder by trade, but a pretty good detective so I thought I would give it a shot. Just wondering how far you got on this. I notice that the openNMS community is looking for a RADIUS modult too.

The files attached in this thread (3 posts above) are running in production for me right now.

hi;
JCMS is not available as standard functionality for the support of the RADIUS authentication protocol. do you know if there is a module for it.
think you

hi;
JCMS is not available as standard functionality for the support of the RADIUS authentication protocol. do you know if there is a module for it.
think you

I am sorry. I don't know what JCMS is? Sorry, I couldn't help.