RADIUS

New CAS documentation site

CAS documentation has moved over to apereo.github.io/cas, starting with CAS version 4.x. The wiki will no longer be maintained. For the most recent version of the documentation, please refer to the aforementioned link.

RADIUS Authentication Handler

Including the Handler

In the pom.xml file for your CAS Maven2 WAR Overlay, add the following dependency:

<dependency>
     <groupId>org.jasig.cas</groupId>
     <artifactId>cas-server-support-radius</artifactId>
     <version>${cas.version}</version>
</dependency>

For Version 4.0.0, implementation of this authentication handler has changed.

Core Classes

RadiusAuthenticationHandler

The RadiusAuthenticationHandler is the class that will take your credentials and authenticate them against a RADIUS server. It is able to handle two types of failovers: failover on an authentication failure, and failover on a server exception. It can be configured with the following properties:

  • failoverOnAuthenticationFailure - boolean to determine whether we should try the next server if there is an authentication failure.
  • failoverOnException - boolean to determine whether we should try the next server if an exception is thrown.
  • servers - takes an array of servers which are the RADIUS servers we would like to connect to. The handler tries them in the order they are configured.

JRadiusServerImpl

The JRadiusServerImpl is one implementation of the more generic RadiusServer interface. Its underlying implementation relies on the JRADIUS library.

Version 3.x:

Each instance represents one RADIUS server and has various configuration options:

  • accountingPort - the accounting port that this server uses.
  • authenticationPort - the authentication port this server uses.
  • radiusAuthenticator - the RADIUS authenticator to use. Defaults to PAP.
  • retries - the number of times to keep retrying a particular server.
  • sharedSecret - the secret key used to communicate with the server.
  • socketTimeout - the amount of time to wait before timing out.
  • hostName - the hostname of the RADIUS server.

Version 4.x:

Each instance represents an authentication-protocol-specific instance of a RADIUS server. Most configuration options have been delegated to the RadiusClientFactory, allowing you to use different authentication protocols on the same physical RADIUS server:

  • protocol - the authentication protocol this server uses.
  • clientFactory-Ref - the bean representing the RADIUS configuration options. 
  • retries - the number of times to keep retrying a particular server.

RadiusClientFactory (4.x)

The RadiusClientFactory implements RADIUS client-specific configuration options, representing a physical RADIUS server:

  • accountingPort - the accounting port that this server uses.
  • authenticationPort - the authentication port this server uses.
  • inetAddress - the hostname of the RADIUS server.
  • sharedSecret - the secret key used to communicate with the server.
  • socketTimeout - the amount of time to wait before timing out.

Configuration

Below, you'll find an example configuration for two RADIUS servers and failoverOnException. This authenticationHandler is configured within the "authenticationHandlers" property of the AuthenticationManagerImpl. Usually, it would replace the test authentication handler.

CAS version 3.x
<bean
	class="org.jasig.cas.adaptors.radius.authentication.handler.support.RadiusAuthenticationHandler">
	<property
		name="servers">
		<list>
			<bean
				class="org.jasig.cas.adaptors.radius.JRadiusServerImpl">
				<constructor-arg index="0" value="radius1.example.org" />
				<constructor-arg index="1" value="THIS_IS_MY_SHARED_SECRET" />
				<constructor-arg index="2">
					<bean
						class="net.jradius.client.auth.PAPAuthenticator" />
				</constructor-arg>
				<constructor-arg index="3" value="AUTHENTICATION_PORT333" />
				<constructor-arg index="4" value="ACCOUNTING_PORT333" />
				<constructor-arg index="5" value="SOCKET_TIMEOUT" />
				<constructor-arg index="6" value="NUMBER_OF_RETRIES" />
			</bean>
			<bean
				class="org.jasig.cas.adaptors.radius.JRadiusServerImpl">
				<constructor-arg index="0" value="radius2.example.org" />
				<constructor-arg index="1" value="THIS_IS_MY_SHARED_SECRET" />
				<constructor-arg index="2">
					<bean
						class="net.jradius.client.auth.PAPAuthenticator" />
				</constructor-arg>
				<constructor-arg index="3" value="AUTHENTICATION_PORT333" />
				<constructor-arg index="4" value="ACCOUNTING_PORT333" />
				<constructor-arg index="5" value="SOCKET_TIMEOUT" />
				<constructor-arg index="6" value="NUMBER_OF_RETRIES" />
			</bean>
		</list>
	</property>
	<property
		name="failoverOnException"
		value="true" />
</bean>

Below, you'll find a CAS 4.0 example configuration for two RADIUS servers with different authentication protocols and failoverOnException. This authenticationHandler is configured alongside the PolicyBasedAuthenticationManager  and referenced as an entry inside its map:

CAS version 4.0
<!-- Sample authentication manager that only uses RADIUS authentication to authenticate users -->
<bean id="authenticationManager" class="org.jasig.cas.authentication.PolicyBasedAuthenticationManager">
	<constructor-arg>
		<map>
			<entry key-ref="radiusAuthenticationHandler" value-ref="primaryPrincipalResolver" />
		</map>
	</constructor-arg>
	<property name="authenticationPolicy">
		<bean class="org.jasig.cas.authentication.AnyAuthenticationPolicy" />
	</property>
</bean>


<bean id="radiusAuthenticationHandler"
	class="org.jasig.cas.adaptors.radius.authentication.handler.support.RadiusAuthenticationHandler">
	<property
		name="servers">
		<list>
			<ref local="radiusServer1" />
			<ref local="radiusServer2" />
		</list>
	</property>
	<property
		name="failoverOnException"
		value="true" />
</bean>
 
<bean id="radiusServer1" 
	class="org.jasig.cas.adaptors.radius.JRadiusServerImpl"
	c:protocol="PAP"
	c:clientFactory-ref="radiusClientFactory1"
	c:retries="NUMBER_OF_RETRIES" />
 
<bean id="radiusServer2" 
	class="org.jasig.cas.adaptors.radius.JRadiusServerImpl"
	c:protocol="EAP_TTLS_EAP_MSCHAPv2"
	c:clientFactory-ref="radiusClientFactory2" /> 

<bean id="radiusClientFactory1"
	class="org.jasig.cas.adaptors.radius.RadiusClientFactory"
	p:inetAddress="radius1.example.org"
	p:sharedSecret="THIS_IS_MY_SHARED_SECRET"
	p:authenticationPort="AUTHENTICATION_PORT333"
	p:accountingPort="ACCOUNTING_PORT333" />
 
<bean id="radiusClientFactory2"
	class="org.jasig.cas.adaptors.radius.RadiusClientFactory"
	p:inetAddress="radius2.example.org"
	p:sharedSecret="THIS_IS_MY_SHARED_SECRET" />

Supported RADIUS authentication protocols

RADIUS support enables the following RADIUS authentication protocols:

  • CHAP
  • EAP-MD5
  • EAP-MSCHAPv2
  • MSCHAPv1
  • MSCHAPv2
  • PAP (default)

 

Extended RADIUS protocol support in CAS 4.0.0

RADIUS support in CAS 4.0.0 was overhauled and now enables the use of several additional protocols. The list of additional protocols is limited due to some JRADIUS library restrictions:

  • EAP-TTLS with PAP
  • EAP-TTLS with EAP-MD5
  • EAP-TTLS with EAP-MSCHAPv2
  • PEAPv0 with EAP-MSCHAPv2

Although adding the JRADIUS Extended dependency also enables support for EAP-TLS, its protocol support is untested.

To enable extended protocol use in CAS, add the following dependency in the pom.xml file for your CAS Maven2 WAR Overlay:

    <dependency>
      <groupId>net.jradius</groupId>
      <artifactId>jradius-extended</artifactId>
      <version>1.1.4</version>
    </dependency>