Duo Security and CAS

I have had trouble getting two-factor authentication with Duo Security working on our Jasig CAS server in the past. However, with a new package from Unicon I was able to do it. Below I will outline the steps I took to install CAS with Duo on a clean install of SUSE Linux Enterprise Server 11.3.

Download the latest Java 7 JDK RPM, in my case 7u67, and install it.

rpm -i jdk-7u67-linux-x64.rpm

Next download and install Apache Tomcat and Apache Maven.

cd /opt
wget http://...../apache-tomcat-8.0.12.tar.gz
tar zxf apache-tomcat-8.0.12.tar.gz
mv apache-tomcat-8.0.12 tomcat
wget http://...../apache-maven-3.2.3-bin.tar.gz
tar zxf apache-maven-3.2.3-bin.tar.gz
mkdir /usr/local/apache-maven/
mv apache-maven-3.2.3 /usr/local/apache-maven/apache-maven-3.2.3

Then add the following to root’s .bashrc:

export M2_HOME=/usr/local/apache-maven/apache-maven-3.2.3
export M2=$M2_HOME/bin
export PATH=$M2:$PATH

After that clear out the pre-packaged webapps from Tomcat

cd /opt/tomcat/webapps/
rm -rf examples manager host-manager docs

And configure SSL for tomcat in /opt/tomcat/conf/server.xml

Now download the latest master from https://github.com/Unicon/cas-mfa and unpack in /opt then edit /opt/cas-mfa-master/cas-mfa-overlay/src/main/webapp/WEB-INF/deployerConfigContext.xml to enable LDAP authentication.

Change the authenticationHandlers Property to the following:

<property name="authenticationHandlers">
  <list>
    <bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
      p:httpClient-ref="httpClient" />
    <bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">
      <property name="filter" value="${ldap.filter}" />
      <property name="searchBase" value="${ldap.searchbase}" />
      <property name="contextSource" ref="contextSource" />
    </bean>
  </list>
</property>

After the AuthenticationManager Bean add the following bean:

<bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource">
  <property name="anonymousReadOnly" value="false" />
  <property name="password" value="${ldap.passwd}" />
  <property name="pooled" value="true" />
  <property name="urls">
    <list>
      <value>${ldap.url1}</value>
      <value>${ldap.url2}</value>
    </list>
  </property>
  <property name="userDn" value="${ldap.binddn}" />
</bean>

Edit /opt/cas-mfa-master/pom.xml and add the following dependency for LDAP support:

<dependency>
  <groupId>org.jasig.cas</groupId>
  <artifactId>cas-server-support-ldap</artifactId>
  <version>${cas.version}</version>
</dependency>

Edit /opt/cas-mfa-master/cas-mfa-overlay/pom.xml and uncomment the two sections that are required for Duo support.

Make the directory /etc/cas and copy the included sample files into it.

cp /opt/cas-mfa-master/cas-mfa-overlay/etc/* /etc/cas/

Edit /etc/cas/cas.properties

  • Change server.name to the URL for your CAS server
  • Change host.name to the FQDN for the CAS server
  • Change mfa.default.authn.method to duo_two_factor

Add the following info to the bottom of the file:

  • duo.api.host= ## API Host from admin.duosecurity.com
  • duo.integration.key= ## Integration key from admin.duosecurity.com
  • duo.secret.key= ## Secret key from admin.duosecurity.com
  • duo.application.key= ## A made up long string not shared with Duo

Add the following to the end of the file:

##
# LDAP Configuration
ldap.url1 = ldap://ldap.example.com:389/
ldap.url2 = ldap://ldap2.example.com:389/
ldap.binddn = Bind DN
ldap.passwd = Bind DN Password
ldap.searchbase = Search Base for users
ldap.filter = Search filter for username e.g.: cn=%u

Edit /etc/cas/log4j.xml and change all log levels that are set to DEBUG to WARN

Edit /etc/cas/servicesRegistry.conf and change “authn_method”: “strong-two-factor” to “authn_method”: “duo-two-factor”

Change directory to /opt/cas-mfa-master and run “mvn clean package” to build the .war file.

Copy the new war file into the webapps directory and start Tomcat.

cp /opt/cas-mfa-master/cas-mfa-overlay/target/cas.war /opt/tomcat/webapps/

The test CAS by going to the following URL:

https://YOURSITE.COM/cas/login?authn_method=duo-two-factor&service=http://www.unicon.net

If everything is configured correctly you should be able to auth to LDAP and then use Duo Push.

Leave a Reply

Your email address will not be published. Required fields are marked *