CAS server webapp fails to instantiate a EAPTTLSAuthenticator for each authentication request

Description

Attempting to use EAP-TTLS for RADIUS authentication through CAS fails. We've tracked it down to the fact that each authentication request should start a new instance of the EAP-TTLS authenticator (net.jradius.client.auth.EAPTTLSAuthenticator), since every EAP-TTLS session is unique.

Alan DeKok from FreeRADIUS agrees that the EAP-TTLS conversation keeps resending the first authentication credentials, which is incorrect, and David Bird from Coova (maintainer of JRadius) agrees with him. David says that the EAPTTLSAuthenticator must be reinstantiated every time. I suspect this may be the case for ALL EAP authentication mechanisms, but I can't find anything substantial online that supports that hypothesis because it appears that there's virtually no-one using the EAPTTLSAuthenticator with CAS.

To fix this, JRadiusServerImpl.java specifically needs to change to create a new instance of this.radiusAuthenticator in every authenticate() call. I've made this basic change:

Class <?> c = this.radiusAuthenticator.getClass();
RadiusAuthenticator thisAuth = null;
try
{ thisAuth = (RadiusAuthenticator)c.newInstance(); }
catch(Exception e)
{ LOG.error("Unable to create new instance of authenticator", e); thisAuth = this.radiusAuthenticator; }
RadiusPacket response = radiusClient.authenticate(request, thisAuth, this.retries);

No doubt this can be improved significantly, probably by calling this.radiusAuthenticator.getAuthName() and checking if the authenticator starts with "eap-" since this is particularly essential for EAP authentication sessions.

Environment

CentOS 6.4, Tomcat v6, CAS v3.5.2 with JRadius Extended Client v1.1.4 (for PEAP, EAP-TLS and EAP-TTLS support).

Activity

Show:
Stefan Paetow
July 10, 2013, 4:59 PM

And a v4.0.0 request was created too:

https://github.com/Jasig/cas/pull/283

Stefan Paetow
July 22, 2013, 4:27 PM

Pull request updated with updated class. This version generates a new authenticator every time authenticate() is called (which is the correct behaviour). Also documented with JavaDoc comments to satisfy the build system.

Marvin Addison
August 22, 2013, 5:16 PM
Stefan Paetow
September 12, 2013, 10:56 AM

This issue is now resolved (thank you, Marvin!). Any suggestions on how to amend the RADIUS page to document the new (and extended) support?

Marvin Addison
September 12, 2013, 1:16 PM

You should be able to sign up for an account and edit the page.

Assignee

Marvin Addison

Reporter

Stefan Paetow

Labels

None

Estimated End Date

None

Components

Fix versions

Affects versions

Priority

Major
Configure