jasig-cas IRC Logs-2011-12-02

Owned by Apereo Infrastructure
Last updated: Dec 02, 2011Version comment
4 min read

[08:10:32 CST(-0600)] <dd> hello

[08:10:46 CST(-0600)] <dd> anyone have experience with clearpass here?

[08:10:48 CST(-0600)] <BillThompson> morning

[08:11:01 CST(-0600)] <BillThompson> yes

[08:11:42 CST(-0600)] <dd> great. i have it setup on cas and uportal, it is at least setup correctly i know, because i can go to example.edu/cas/clearPass

[08:12:16 CST(-0600)] <dd> is there any way i can test that it is actually able to give me back a password?

[08:12:39 CST(-0600)] <dd> i'm on cas 3.4.2.1 and clearpass 1.0.5-GA

[08:13:47 CST(-0600)] <BillThompson> you need to request a ST for clearPass and then send that in URL

[08:15:27 CST(-0600)] <dd> ok, how would i do that?

[08:16:03 CST(-0600)] <dd> i can see it all happening in the logs but i assume i can't use a service ticket from the logs, right?

[08:16:58 CST(-0600)] <BillThompson> you could if it hasn't been used yet and hasn't timed out

[08:18:20 CST(-0600)] <BillThompson> https://github.com/wgthom/CasAngelClient/blob/master/CasAngelHandler.cs has C# code showing how to use ClearPass

[08:24:54 CST(-0600)] <dd> hmm

[08:25:27 CST(-0600)]

<dd> so i have the service ticket from the logs, do i just do https://example.edu/cas/clearPass?ticket=

Unknown macro: {ticket}

?

[08:26:15 CST(-0600)] <BillThompson> yes, I believe that should work. you'll want to make sure the ticket isn't expired though…the default setting is something like 10 sec

[08:27:13 CST(-0600)] <dd> i just get <cas:clearPassFailure>No authentication information provided.</cas:clearPassFailure>

[08:28:47 CST(-0600)] <dd> well, in the logs i get <cas:authenticationFailure code='INVALID_TICKET'>

[08:29:04 CST(-0600)] <BillThompson> perhaps it expired?

[08:29:32 CST(-0600)]

<BillThompson> also you may have to put 'service=

Unknown macro: {clearPassURL}

' in the url along with the ticket

[08:29:40 CST(-0600)] <BillThompson> that's the the C# code does

[08:30:22 CST(-0600)] <dd> oh, i'll try that

[08:33:27 CST(-0600)] <dd> nope, would you mind taking a look at my logs?

[08:34:04 CST(-0600)] <BillThompson> sure. the best things though would be to post to cas-user. as you'll likely get more people to look at it….and more people will benefit from the discussion.

[08:37:12 CST(-0600)] <dd> yeah, i definitely will if i am still having problems

[08:37:36 CST(-0600)] <dd> http://pastebin.com/Xf0jktqZ

[08:38:03 CST(-0600)] <dd> two things that confuse me, line 47: it looks like the ticket that was generated gets removed from the registry?

[08:38:17 CST(-0600)] <dd> and line 62: No Proxy Ticket found for [blank]

[08:40:42 CST(-0600)] <BillThompson> 47 is CAS removing the Ticket from the registry after it was succesfully validated. this is expected

[08:40:56 CST(-0600)] <dd> ok

[08:41:40 CST(-0600)] <dd> anything else jump out at you as odd or incorrect?

[08:42:00 CST(-0600)] <BillThompson> 62 does look weird

[08:42:37 CST(-0600)] <BillThompson> is it working?

[08:43:02 CST(-0600)] <dd> cas overall?

[08:43:34 CST(-0600)] <BillThompson> yes, are you getting the passowrd back in the portal…looks like it worked form the logs

[08:44:06 CST(-0600)] <dd> how would i check that it is in the portal?

[08:44:47 CST(-0600)] <BillThompson> best to ask that on uportal-user

[08:53:08 CST(-0600)] <dd> any idea what the "No Proxy Ticket found for" implies?

[09:01:54 CST(-0600)] <BillThompson> not sure seems weird though

[10:47:13 CST(-0600)] <dd> BillThompson: still around?

[13:01:18 CST(-0600)] <serac> 1400

[13:01:25 CST(-0600)] <BillThompson> hola

[13:01:27 CST(-0600)] <serac> Any developer topics to discuss.

[13:01:29 CST(-0600)] <serac> Hey man.

[13:01:50 CST(-0600)] <serac> Anyone seen or heard from battags this week?

[13:02:01 CST(-0600)] <BillThompson> nope

[13:02:40 CST(-0600)] <BillThompson> i was thinking we probably need a reality check on 3.5 soon

[13:03:10 CST(-0600)] <BillThompson> come to consensus on lppe approach for the near term for 3.5 (even if there are issues still to be settled long term for cas4 etc)

[13:03:24 CST(-0600)] <serac> I have on my todo list to do a thorough code review of lppe and then try to craft a compromise solution that addresses some of Scott's points for the "bigger picture" of password expiration workflows.

[13:03:28 CST(-0600)] <BillThompson> get working code cut, etc

[13:03:45 CST(-0600)] <serac> I'm fairly optimistic it's mostly just moving things around.

[13:04:08 CST(-0600)] <serac> But I'm on board with the goals you have.

[13:05:45 CST(-0600)] <BillThompson> fyi. unicon is investigating work on an improved integration cas/shib integration ala Shib's ExternalAuthNHandler

[13:06:07 CST(-0600)] <BillThompson> https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthExternal

[13:06:08 CST(-0600)] <serac> What is there to improve upon that remote authentication doesn't already provide?

[13:06:21 CST(-0600)] <serac> The existing integration works great in our view.

[13:06:42 CST(-0600)] <BillThompson> things like bridging SAMLs forceAuthn to CAS renew=true for instance

[13:07:07 CST(-0600)] <serac> Interesting.

[13:07:28 CST(-0600)] <BillThompson> yes another possible evolution story...

[13:07:51 CST(-0600)] <serac> Indeed. Keep us posted on the progress.

[13:08:00 CST(-0600)] <BillThompson> will do.

[15:01:55 CST(-0600)] <dd> anyone here have experience with clearpass?

[15:02:57 CST(-0600)] <dd> having problems with proxy tickets i think