pam Google authenticator and Ldap
Nick Owen
owen.nick at gmail.com
Mon Dec 8 17:50:17 CET 2014
Freeradius can proxy the radius request to a 3rd party authentication
server but that server must support radius and the google pam
authenticator module does not. Maybe there is some way to get it
working that I'm not aware of.
On Fri, Dec 5, 2014 at 11:24 AM, Joshua Elcik <jelcik at hotmail.com> wrote:
>
>
>
>
> Running FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu installed on
> Ubuntu 12.04
>
>
>
> I’ve got ldap working correctly and its searching within Active Directory
> groups to make sure that the person is in particular group to get an Accept
> message.
>
>
>
> What I’m looking to do, and this is where I need help and maybe its not even
> possible, but I ideally I want to be able to configure my cisco ASA to use
> the FreeRadius server to do dual authentication using ldap and the Google
> authenticator, so is this even really possible.
>
>
>
> So the flow would look like – user logins into the anyconnect client using
> active directory creds, FreeRadius would check to make sure that user is in
> a certain group, vpn or vpnadmin. If the user is in the group that user
> would then be prompted for the Google Auth digits and if the user entered
> that in correctly the user would be allowed to connect to the vpn.
>
>
>
> I understand I would have to use PAM in order for the Google authenticator
> to work but is this something that has to happen in the post-auth?
>
>
>
>
>
> root at freerad01:/etc/freeradius# freeradius -X
>
> FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Feb 24
> 2014 at 15:16:50
>
> Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
>
> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
>
> PARTICULAR PURPOSE.
>
> You may redistribute copies of FreeRADIUS under the terms of the
>
> GNU General Public License v2.
>
> Starting - reading configuration files ...
>
> including configuration file /etc/freeradius/radiusd.conf
>
> including configuration file /etc/freeradius/proxy.conf
>
> including configuration file /etc/freeradius/clients.conf
>
> including files in directory /etc/freeradius/modules/
>
> including configuration file /etc/freeradius/modules/passwd
>
> including configuration file /etc/freeradius/modules/inner-eap
>
> including configuration file /etc/freeradius/modules/pap
>
> including configuration file /etc/freeradius/modules/unix
>
> including configuration file /etc/freeradius/modules/checkval
>
> including configuration file /etc/freeradius/modules/ntlm_auth
>
> including configuration file /etc/freeradius/modules/attr_filter
>
> including configuration file /etc/freeradius/modules/perl
>
> including configuration file /etc/freeradius/modules/acct_unique
>
> including configuration file /etc/freeradius/modules/counter
>
> including configuration file /etc/freeradius/modules/policy
>
> including configuration file /etc/freeradius/modules/files
>
> including configuration file /etc/freeradius/modules/realm
>
> including configuration file /etc/freeradius/modules/pam
>
> including configuration file /etc/freeradius/modules/cui
>
> including configuration file /etc/freeradius/modules/preprocess
>
> including configuration file /etc/freeradius/modules/expr
>
> including configuration file /etc/freeradius/modules/ippool
>
> including configuration file /etc/freeradius/modules/krb5
>
> including configuration file /etc/freeradius/modules/wimax
>
> including configuration file /etc/freeradius/modules/logintime
>
> including configuration file /etc/freeradius/modules/detail
>
> including configuration file /etc/freeradius/modules/exec
>
> including configuration file /etc/freeradius/modules/linelog
>
> including configuration file /etc/freeradius/modules/otp
>
> including configuration file /etc/freeradius/modules/mac2vlan
>
> including configuration file /etc/freeradius/modules/ldap
>
> including configuration file /etc/freeradius/modules/always
>
> including configuration file /etc/freeradius/modules/digest
>
> including configuration file /etc/freeradius/modules/attr_rewrite
>
> including configuration file /etc/freeradius/modules/etc_group
>
> including configuration file /etc/freeradius/modules/detail.example.com
>
> including configuration file /etc/freeradius/modules/sradutmp
>
> including configuration file /etc/freeradius/modules/dynamic_clients
>
> including configuration file /etc/freeradius/modules/opendirectory
>
> including configuration file
> /etc/freeradius/modules/sqlcounter_expire_on_login
>
> including configuration file /etc/freeradius/modules/expiration
>
> including configuration file /etc/freeradius/modules/sql_log
>
> including configuration file /etc/freeradius/modules/radutmp
>
> including configuration file /etc/freeradius/modules/chap
>
> including configuration file /etc/freeradius/modules/echo
>
> including configuration file /etc/freeradius/modules/detail.log
>
> including configuration file /etc/freeradius/modules/smbpasswd
>
> including configuration file /etc/freeradius/modules/smsotp
>
> including configuration file /etc/freeradius/modules/mac2ip
>
> including configuration file /etc/freeradius/modules/mschap
>
> including configuration file /etc/freeradius/eap.conf
>
> including configuration file /etc/freeradius/policy.conf
>
> including files in directory /etc/freeradius/sites-enabled/
>
> including configuration file /etc/freeradius/sites-enabled/inner-tunnel
>
> including configuration file /etc/freeradius/sites-enabled/default
>
> main {
>
> user = "root"
>
> group = "root"
>
> allow_core_dumps = no
>
> }
>
> including dictionary file /etc/freeradius/dictionary
>
> main {
>
> prefix = "/usr"
>
> localstatedir = "/var"
>
> logdir = "/var/log/freeradius"
>
> libdir = "/usr/lib/freeradius"
>
> radacctdir = "/var/log/freeradius/radacct"
>
> hostname_lookups = no
>
> max_request_time = 30
>
> cleanup_delay = 5
>
> max_requests = 1024
>
> pidfile = "/var/run/freeradius/freeradius.pid"
>
> checkrad = "/usr/sbin/checkrad"
>
> debug_level = 0
>
> proxy_requests = yes
>
> log {
>
> stripped_names = no
>
> auth = no
>
> auth_badpass = no
>
> auth_goodpass = no
>
> }
>
> security {
>
> max_attributes = 200
>
> reject_delay = 1
>
> status_server = yes
>
> }
>
> }
>
> radiusd: #### Loading Realms and Home Servers ####
>
> proxy server {
>
> retry_delay = 5
>
> retry_count = 3
>
> default_fallback = no
>
> dead_time = 120
>
> wake_all_if_all_dead = no
>
> }
>
> home_server localhost {
>
> ipaddr = 127.0.0.1
>
> port = 1812
>
> type = "auth"
>
> secret = "testing123"
>
> response_window = 20
>
> max_outstanding = 65536
>
> require_message_authenticator = yes
>
> zombie_period = 40
>
> status_check = "status-server"
>
> ping_interval = 30
>
> check_interval = 30
>
> num_answers_to_alive = 3
>
> num_pings_to_alive = 3
>
> revive_interval = 120
>
> status_check_timeout = 4
>
> irt = 2
>
> mrt = 16
>
> mrc = 5
>
> mrd = 30
>
> }
>
> home_server_pool my_auth_failover {
>
> type = fail-over
>
> home_server = localhost
>
> }
>
> realm example.com {
>
> auth_pool = my_auth_failover
>
> }
>
> realm LOCAL {
>
> }
>
> radiusd: #### Loading Clients ####
>
> client 10.10.10.0/24 {
>
> require_message_authenticator = no
>
> secret = "testing123"
>
> nastype = "other"
>
> }
>
> radiusd: #### Instantiating modules ####
>
> instantiate {
>
> Module: Linked to module rlm_exec
>
> Module: Instantiating module "exec" from file /etc/freeradius/modules/exec
>
> exec {
>
> wait = no
>
> input_pairs = "request"
>
> shell_escape = yes
>
> }
>
> Module: Linked to module rlm_expr
>
> Module: Instantiating module "expr" from file /etc/freeradius/modules/expr
>
> Module: Linked to module rlm_expiration
>
> Module: Instantiating module "expiration" from file
> /etc/freeradius/modules/expiration
>
> expiration {
>
> reply-message = "Password Has Expired "
>
> }
>
> Module: Linked to module rlm_logintime
>
> Module: Instantiating module "logintime" from file
> /etc/freeradius/modules/logintime
>
> logintime {
>
> reply-message = "You are calling outside your allowed timespan "
>
> minimum-timeout = 60
>
> }
>
> }
>
> radiusd: #### Loading Virtual Servers ####
>
> server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
>
> modules {
>
> Module: Checking authenticate {...} for more modules to load
>
> Module: Linked to module rlm_chap
>
> Module: Instantiating module "chap" from file /etc/freeradius/modules/chap
>
> Module: Linked to module rlm_mschap
>
> Module: Instantiating module "mschap" from file
> /etc/freeradius/modules/mschap
>
> mschap {
>
> use_mppe = yes
>
> require_encryption = no
>
> require_strong = no
>
> with_ntdomain_hack = yes
>
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> --username=%{mschap:User-Name:-None}
> --domain=%{%{mschap:NT-Domain}:-NEXTPT.COM}
> --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
>
> }
>
> Module: Linked to module rlm_pam
>
> Module: Instantiating module "pam" from file /etc/freeradius/modules/pam
>
> pam {
>
> pam_auth = "radiusd"
>
> }
>
> Module: Linked to module rlm_unix
>
> Module: Instantiating module "unix" from file /etc/freeradius/modules/unix
>
> unix {
>
> radwtmp = "/var/log/freeradius/radwtmp"
>
> }
>
> Module: Linked to module rlm_ldap
>
> Module: Instantiating module "ldap" from file /etc/freeradius/modules/ldap
>
> ldap {
>
> server = "10.10.10.110"
>
> port = 389
>
> password = "password"
>
> identity = "cn=Account,ou=Next Point,dc=nextpt,dc=com"
>
> net_timeout = 1
>
> timeout = 4
>
> timelimit = 3
>
> tls_mode = no
>
> start_tls = no
>
> tls_require_cert = "allow"
>
> tls {
>
> start_tls = no
>
> require_cert = "allow"
>
> }
>
> basedn = "ou=Next Point,dc=nextpt,dc=com"
>
> filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})"
>
> base_filter = "(objectclass=radiusprofile)"
>
> auto_header = no
>
> access_attr_used_for_allow = yes
>
> chase_referrals = yes
>
> rebind = yes
>
> groupname_attribute = "cn"
>
> groupmembership_filter =
> "(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))"
>
> groupmembership_attribute = "memberOf"
>
> dictionary_mapping = "/etc/freeradius/ldap.attrmap"
>
> ldap_debug = 0
>
> ldap_connections_number = 5
>
> compare_check_items = no
>
> do_xlat = yes
>
> edir_account_policy_check = no
>
> set_auth_type = yes
>
> }
>
> rlm_ldap: Registering ldap_groupcmp for Ldap-Group
>
> rlm_ldap: Registering ldap_xlat with xlat_name ldap
>
> rlm_ldap: reading ldap<->radius mappings from file
> /etc/freeradius/ldap.attrmap
>
> rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$
>
> rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$
>
> rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type
>
> rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use
>
> rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id
>
> rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id
>
> rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password
>
> rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password
>
> rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password
>
> rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password
>
> rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password
>
> rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header
>
> rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT
>
> rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration
>
> rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address
>
> rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type
>
> rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol
>
> rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address
>
> rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask
>
> rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route
>
> rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing
>
> rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id
>
> rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU
>
> rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression
>
> rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host
>
> rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service
>
> rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port
>
> rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number
>
> rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id
>
> rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network
>
> rlm_ldap: LDAP radiusClass mapped to RADIUS Class
>
> rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout
>
> rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout
>
> rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action
>
> rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service
>
> rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node
>
> rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group
>
> rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS
> Framed-AppleTalk-Link
>
> rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS
> Framed-AppleTalk-Network
>
> rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS
> Framed-AppleTalk-Zone
>
> rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit
>
> rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port
>
> rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message
>
> rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type
>
> rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type
>
> rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS
> Tunnel-Private-Group-Id
>
> conns: 0x8e5da0
>
> Module: Linked to module rlm_eap
>
> Module: Instantiating module "eap" from file /etc/freeradius/eap.conf
>
> eap {
>
> default_eap_type = "mschapv2"
>
> timer_expire = 60
>
> ignore_unknown_eap_types = no
>
> cisco_accounting_username_bug = no
>
> max_sessions = 4096
>
> }
>
> Module: Linked to sub-module rlm_eap_md5
>
> Module: Instantiating eap-md5
>
> Module: Linked to sub-module rlm_eap_leap
>
> Module: Instantiating eap-leap
>
> Module: Linked to sub-module rlm_eap_gtc
>
> Module: Instantiating eap-gtc
>
> gtc {
>
> challenge = "Password: "
>
> auth_type = "PAP"
>
> }
>
> Module: Linked to sub-module rlm_eap_tls
>
> Module: Instantiating eap-tls
>
> tls {
>
> rsa_key_exchange = no
>
> dh_key_exchange = yes
>
> rsa_key_length = 512
>
> dh_key_length = 512
>
> verify_depth = 0
>
> CA_path = "/etc/freeradius/certs"
>
> pem_file_type = yes
>
> private_key_file = "/etc/freeradius/certs/server.key"
>
> certificate_file = "/etc/freeradius/certs/server.pem"
>
> CA_file = "/etc/freeradius/certs/ca.pem"
>
> private_key_password = "whatever"
>
> dh_file = "/etc/freeradius/certs/dh"
>
> random_file = "/dev/urandom"
>
> fragment_size = 1024
>
> include_length = yes
>
> check_crl = no
>
> cipher_list = "DEFAULT"
>
> make_cert_command = "/etc/freeradius/certs/bootstrap"
>
> cache {
>
> enable = no
>
> lifetime = 24
>
> max_entries = 255
>
> }
>
> verify {
>
> }
>
> }
>
> Module: Linked to sub-module rlm_eap_ttls
>
> Module: Instantiating eap-ttls
>
> ttls {
>
> default_eap_type = "mschapv2"
>
> copy_request_to_tunnel = no
>
> use_tunneled_reply = no
>
> virtual_server = "inner-tunnel"
>
> include_length = yes
>
> }
>
> Module: Linked to sub-module rlm_eap_peap
>
> Module: Instantiating eap-peap
>
> peap {
>
> default_eap_type = "mschapv2"
>
> copy_request_to_tunnel = no
>
> use_tunneled_reply = no
>
> proxy_tunneled_request_as_eap = yes
>
> virtual_server = "inner-tunnel"
>
> }
>
> Module: Linked to sub-module rlm_eap_mschapv2
>
> Module: Instantiating eap-mschapv2
>
> mschapv2 {
>
> with_ntdomain_hack = no
>
> }
>
> Module: Checking authorize {...} for more modules to load
>
> Module: Linked to module rlm_files
>
> Module: Instantiating module "files" from file /etc/freeradius/modules/files
>
> files {
>
> usersfile = "/etc/freeradius/users"
>
> acctusersfile = "/etc/freeradius/acct_users"
>
> preproxy_usersfile = "/etc/freeradius/preproxy_users"
>
> compat = "no"
>
> }
>
> Module: Checking session {...} for more modules to load
>
> Module: Linked to module rlm_radutmp
>
> Module: Instantiating module "radutmp" from file
> /etc/freeradius/modules/radutmp
>
> radutmp {
>
> filename = "/var/log/freeradius/radutmp"
>
> username = "%{User-Name}"
>
> case_sensitive = yes
>
> check_with_nas = yes
>
> perm = 384
>
> callerid = yes
>
> }
>
> Module: Checking post-proxy {...} for more modules to load
>
> Module: Checking post-auth {...} for more modules to load
>
> Module: Linked to module rlm_attr_filter
>
> Module: Instantiating module "attr_filter.access_reject" from file
> /etc/freeradius/modules/attr_filter
>
> attr_filter attr_filter.access_reject {
>
> attrsfile = "/etc/freeradius/attrs.access_reject"
>
> key = "%{User-Name}"
>
> }
>
> } # modules
>
> } # server
>
> server { # from file /etc/freeradius/radiusd.conf
>
> modules {
>
> Module: Checking authenticate {...} for more modules to load
>
> Module: Linked to module rlm_pap
>
> Module: Instantiating module "pap" from file /etc/freeradius/modules/pap
>
> pap {
>
> encryption_scheme = "auto"
>
> auto_header = no
>
> }
>
> Module: Linked to module rlm_digest
>
> Module: Instantiating module "digest" from file
> /etc/freeradius/modules/digest
>
> Module: Checking authorize {...} for more modules to load
>
> Module: Checking preacct {...} for more modules to load
>
> Module: Linked to module rlm_preprocess
>
> Module: Instantiating module "preprocess" from file
> /etc/freeradius/modules/preprocess
>
> preprocess {
>
> huntgroups = "/etc/freeradius/huntgroups"
>
> hints = "/etc/freeradius/hints"
>
> with_ascend_hack = no
>
> ascend_channels_per_line = 23
>
> with_ntdomain_hack = no
>
> with_specialix_jetstream_hack = no
>
> with_cisco_vsa_hack = no
>
> with_alvarion_vsa_hack = no
>
> }
>
> Module: Linked to module rlm_acct_unique
>
> Module: Instantiating module "acct_unique" from file
> /etc/freeradius/modules/acct_unique
>
> acct_unique {
>
> key = "User-Name, Acct-Session-Id, NAS-IP-Address,
> Client-IP-Address, NAS-Port"
>
> }
>
> Module: Linked to module rlm_realm
>
> Module: Instantiating module "suffix" from file
> /etc/freeradius/modules/realm
>
> realm suffix {
>
> format = "suffix"
>
> delimiter = "@"
>
> ignore_default = no
>
> ignore_null = no
>
> }
>
> Module: Checking accounting {...} for more modules to load
>
> Module: Linked to module rlm_detail
>
> Module: Instantiating module "detail" from file
> /etc/freeradius/modules/detail
>
> detail {
>
> detailfile =
> "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
>
> header = "%t"
>
> detailperm = 384
>
> dirperm = 493
>
> locking = no
>
> log_packet_header = no
>
> }
>
> Module: Instantiating module "attr_filter.accounting_response" from file
> /etc/freeradius/modules/attr_filter
>
> attr_filter attr_filter.accounting_response {
>
> attrsfile = "/etc/freeradius/attrs.accounting_response"
>
> key = "%{User-Name}"
>
> }
>
> Module: Checking session {...} for more modules to load
>
> Module: Checking post-proxy {...} for more modules to load
>
> Module: Checking post-auth {...} for more modules to load
>
> } # modules
>
> } # server
>
> radiusd: #### Opening IP addresses and Ports ####
>
> listen {
>
> type = "auth"
>
> ipaddr = *
>
> port = 0
>
> }
>
> listen {
>
> type = "acct"
>
> ipaddr = *
>
> port = 0
>
> }
>
> listen {
>
> type = "auth"
>
> ipaddr = 127.0.0.1
>
> port = 18120
>
> }
>
> Listening on authentication address * port 1812
>
> Listening on accounting address * port 1813
>
> Listening on authentication address 127.0.0.1 port 18120 as server
> inner-tunnel
>
> Listening on proxy address * port 1814
>
> Ready to process requests.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
--
--
Nick Owen
WiKID Systems, Inc.
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
More information about the Freeradius-Users
mailing list