Duo 2FA - Guacamole 9.11

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Duo 2FA - Guacamole 9.11

Kris Germann

I'm wondering how to accomplish this, I have the following in my guacamole.preferences:

#MySQL Info
mysql-hostname: localhost
mysql-port: 3306
mysql-database: guacamole_db
mysql-username: guacamole_user
mysql-password: xxxxxxxxxxxx

#Duo Security API Info
duo-api-hostname: api-hostname.duosecurity.com
duo-integration-key: xxxxxxxxxxxxxxxxxxxx
duo-secret-key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
duo-application-key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

However, when I log in I get the following in the logs:

14:54:09.658 [http-nio-8080-exec-2] INFO o.a.g.r.auth.AuthenticationService - User "kgermann" successfully authenticated from 50.100.78.133.

However, I am greeted with:


Any help would be appreciated :)


Kris

Reply | Threaded
Open this post in threaded view
|

Re: Duo 2FA - Guacamole 9.11

Mike Jumper
On Mon, Mar 13, 2017 at 8:27 AM, Kris Germann <[hidden email]> wrote:

I'm wondering how to accomplish this, I have the following in my guacamole.preferences:

#MySQL Info
mysql-hostname: localhost
mysql-port: 3306
mysql-database: guacamole_db
mysql-username: guacamole_user
mysql-password: xxxxxxxxxxxx

#Duo Security API Info
duo-api-hostname: api-hostname.duosecurity.com
duo-integration-key: xxxxxxxxxxxxxxxxxxxx
duo-secret-key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
duo-application-key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

However, when I log in I get the following in the logs:

14:54:09.658 [http-nio-8080-exec-2] INFO o.a.g.r.auth.AuthenticationService - User "kgermann" successfully authenticated from 50.100.78.133.

However, I am greeted with:


Any help would be appreciated :)



Have you verified that the integration key, secret key, and API hostname are exactly as listed by Duo in the application's "Details" section?

- Mike

Reply | Threaded
Open this post in threaded view
|

Re: Duo 2FA - Guacamole 9.11

Kris Germann

I have, however, it seems I tried initially with the free version of Duo which did not include the Auth API application - once I upgraded and generated a new token for the Auth API (previously I was using “UNIX Application”) it worked.

Case closed!

- Kris

On Mar 13, 2017, at 4:01 PM, Mike Jumper <[hidden email]> wrote:

On Mon, Mar 13, 2017 at 8:27 AM, Kris Germann <[hidden email]> wrote:

I'm wondering how to accomplish this, I have the following in my guacamole.preferences:

#MySQL Info
mysql-hostname: localhost
mysql-port: 3306
mysql-database: guacamole_db
mysql-username: guacamole_user
mysql-password: xxxxxxxxxxxx

#Duo Security API Info
duo-api-hostname: api-hostname.duosecurity.com
duo-integration-key: xxxxxxxxxxxxxxxxxxxx
duo-secret-key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
duo-application-key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

However, when I log in I get the following in the logs:

14:54:09.658 [http-nio-8080-exec-2] INFO o.a.g.r.auth.AuthenticationService - User "kgermann" successfully authenticated from 50.100.78.133.

However, I am greeted with:

<Screen Shot 2017-03-12 at 2.42.38 PM.png>

Any help would be appreciated :)



Have you verified that the integration key, secret key, and API hostname are exactly as listed by Duo in the application's "Details" section?

- Mike

Reply | Threaded
Open this post in threaded view
|

Re: Duo 2FA - Guacamole 9.11

Mike Jumper
On Mon, Mar 13, 2017 at 1:02 PM, Kris Germann <[hidden email]> wrote:

I have, however, it seems I tried initially with the free version of Duo which did not include the Auth API application - once I upgraded and generated a new token for the Auth API (previously I was using “UNIX Application”) it worked.



By the way, though it will indeed work, "Auth API" turns out to be incorrect:


Some time after Guacamole's initial support for Duo went out, Duo moved "Auth API" to the non-free version. As far as Guacamole is concerned, this doesn't matter because we should have listed "Web SDK" in the first place, but there is no need to upgrade things just to use Duo with Guacamole.

There was a recent discussion here which lead to the above:


- Mike