On Jul 24, 2015, at 9:28 PM, Josh Miller <jmills5901@gmail.com> wrote:
I am attempting to configure 2 factor authentication using Google Authenticator + AD (Winbind), ultimately for use in my Cisco and Windows VPN environment.
That should work.
The environment is as follows:
-Fedora 22 -Freeradius 3.0.4 -Samba 4.2.2
I'd suggest using 3.0.9.
---------------------- #/etc/pam.d/radius
auth required /usr/lib64/security/pam_winbind.so debug ----------------------
Don't use PAM. It's not just horrible, it's designed to be used once by an application, and then never again. It will likely leak memory, cause performance issues, etc. I would suggest using the ntlm_auth program. It's documented, and it works.
Standard NTLM via AD works very well, but utilizing the PAM module is creating a whole new can of worms.
Don't use PAM. It's almost impossible to understand. And almost impossible to debug.
My use case for PAM is 2 factor authentication with Google Authenticator, but if there is a better way to do this while still utilizing FreeRadius, then I am very interested.
You can run Perl scripts directly from FreeRADIUS. That should help.
However, at this point I have not been unable to find another authentication methodology for Google OTP without the PAM component.
I don't see why PAM is necessary.
Also attaching the, radius -XXX startup output separately.
<sigh> Please use "radiusd -X". Not "-XXXXXXXXXXX". It doesn't help. Following directions is good. And the directions say "-X". Alan DeKok.