I have had trouble getting two-factor authentication with Duo Security working on our Jasig CAS server in the past. However, with a new package from Unicon I was able to do it. Below I will outline the steps I took to install CAS with Duo on a clean install of SUSE Linux Enterprise Server 11.3.
Download the latest Java 7 JDK RPM, in my case 7u67, and install it.
rpm -i jdk-7u67-linux-x64.rpm
Next download and install Apache Tomcat and Apache Maven.
cd /opt wget http://...../apache-tomcat-8.0.12.tar.gz tar zxf apache-tomcat-8.0.12.tar.gz mv apache-tomcat-8.0.12 tomcat wget http://...../apache-maven-3.2.3-bin.tar.gz tar zxf apache-maven-3.2.3-bin.tar.gz mkdir /usr/local/apache-maven/ mv apache-maven-3.2.3 /usr/local/apache-maven/apache-maven-3.2.3
Then add the following to root’s .bashrc:
export M2_HOME=/usr/local/apache-maven/apache-maven-3.2.3 export M2=$M2_HOME/bin export PATH=$M2:$PATH
After that clear out the pre-packaged webapps from Tomcat
cd /opt/tomcat/webapps/ rm -rf examples manager host-manager docs
And configure SSL for tomcat in /opt/tomcat/conf/server.xml
Now download the latest master from https://github.com/Unicon/cas-mfa and unpack in /opt then edit /opt/cas-mfa-master/cas-mfa-overlay/src/main/webapp/WEB-INF/deployerConfigContext.xml to enable LDAP authentication.
Change the authenticationHandlers Property to the following:
<property name="authenticationHandlers">
<list>
<bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
p:httpClient-ref="httpClient" />
<bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">
<property name="filter" value="${ldap.filter}" />
<property name="searchBase" value="${ldap.searchbase}" />
<property name="contextSource" ref="contextSource" />
</bean>
</list>
</property>
After the AuthenticationManager Bean add the following bean:
<bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource">
<property name="anonymousReadOnly" value="false" />
<property name="password" value="${ldap.passwd}" />
<property name="pooled" value="true" />
<property name="urls">
<list>
<value>${ldap.url1}</value>
<value>${ldap.url2}</value>
</list>
</property>
<property name="userDn" value="${ldap.binddn}" />
</bean>
Edit /opt/cas-mfa-master/pom.xml and add the following dependency for LDAP support:
<dependency>
<groupId>org.jasig.cas</groupId>
<artifactId>cas-server-support-ldap</artifactId>
<version>${cas.version}</version>
</dependency>
Edit /opt/cas-mfa-master/cas-mfa-overlay/pom.xml and uncomment the two sections that are required for Duo support.
Make the directory /etc/cas and copy the included sample files into it.
cp /opt/cas-mfa-master/cas-mfa-overlay/etc/* /etc/cas/
Edit /etc/cas/cas.properties
- Change server.name to the URL for your CAS server
- Change host.name to the FQDN for the CAS server
- Change mfa.default.authn.method to duo_two_factor
Add the following info to the bottom of the file:
- duo.api.host= ## API Host from admin.duosecurity.com
- duo.integration.key= ## Integration key from admin.duosecurity.com
- duo.secret.key= ## Secret key from admin.duosecurity.com
- duo.application.key= ## A made up long string not shared with Duo
Add the following to the end of the file:
## # LDAP Configuration ldap.url1 = ldap://ldap.example.com:389/ ldap.url2 = ldap://ldap2.example.com:389/ ldap.binddn = Bind DN ldap.passwd = Bind DN Password ldap.searchbase = Search Base for users ldap.filter = Search filter for username e.g.: cn=%u
Edit /etc/cas/log4j.xml and change all log levels that are set to DEBUG to WARN
Edit /etc/cas/servicesRegistry.conf and change “authn_method”: “strong-two-factor” to “authn_method”: “duo-two-factor”
Change directory to /opt/cas-mfa-master and run “mvn clean package” to build the .war file.
Copy the new war file into the webapps directory and start Tomcat.
cp /opt/cas-mfa-master/cas-mfa-overlay/target/cas.war /opt/tomcat/webapps/
The test CAS by going to the following URL:
https://YOURSITE.COM/cas/login?authn_method=duo-two-factor&service=http://www.unicon.net
If everything is configured correctly you should be able to auth to LDAP and then use Duo Push.
