Contemplating change to FreeRadius configuration....
Mark J. Bobak
mark at bobak.net
Tue Jan 22 16:51:59 CET 2019
Thanks for the replies, Alan and Eero. Much appreciated.
I'm not in any hurry, but I'll spin up a new server and try working on it
in the background.
-Mark
On Mon, Jan 21, 2019 at 3:34 PM Eero Volotinen <eero.volotinen at iki.fi>
wrote:
> Hi,
>
> check this document out
>
> https://github.com/rharmonson/richtech/wiki/CentOS-7-Minimal-&-Two-factor-Authentication-using-FreeRADIUS-3,-SSSD-1.12,-&-Google-Authenticator
>
> It might work.
>
> Eero
>
>
> On Mon, Jan 21, 2019, 22:14 Mark J. Bobak <mark at bobak.net wrote:
>
> > Hi all,
> >
> > I've been on this list for a while, but I'm mostly just a lurker.
> >
> > But, I wanted to run a thought by folks here, before I spend too much
> time
> > on the effort.
> >
> > Currently, I'm running Freeradius 3.0.13 (which I think was current when
> we
> > installed) on RedHat Enterprise Linux 7 (7.6).
> >
> > I have a very simple implementation, using FreeRadius, Google
> > Authenticator, and Linux. I create an account in Linux, and each Linux
> > account has a Google Authenticator component, and I use FreeRadius as the
> > backend to authenticate VPN users, coming from a Dell Sonicall TZ400.
> >
> > All this works with no issue. (The main reason I've been so quiet on
> this
> > list. ;-))
> >
> > Users come in from VPN, supply username, password, and Google auth OTP,
> and
> > FreeRadius authenticates them. The users are defined in Linux, on the
> > FreeRadius server itself.
> >
> > Since I first set this up a couple of years ago, we have made some
> changes,
> > including moving to a Samba backend to do Active Directory authentication
> > for Windows logins.
> >
> > So, my question is, instead of maintaining a separate database for VPN,
> is
> > it possible (and how hard) to make my Samba server be the backend? So,
> > when we add a user to the Samba AD server, they will gain VPN login
> access,
> > in addition to the Windows domain for Windows login access.
> >
> > If I go that way, would the Google Auth stuff have to move over to the
> > Samba server? Would two-factor auth apply to Windows domain login as
> well
> > as VPN access? (That may be a Samba question, sorry.) Would the
> > FreeRadius server need to move to the Samba server?
> >
> > Has anyone dome something like this? Was it difficult?
> >
> > I'm a little bit loathe to change a configuration that has been working
> so
> > well for so long....but as we grow, I'm willing to bet it will pay for
> > itself in time saved.
> >
> > Any helpful hints? Pointers to docs?
> >
> > All comments are much appreciated.
> >
> > Thanks,
> >
> > -Mark
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list