Freeradius with Windbind and Google authenticator issues with Cisco Anyconnect VPN
Hi Guys I am trying to configure Google Authenticator to work with Windbind for VPN using Cisco Anyconnect on Ubuntu . Windbind works fine without Google Authenticator., but combined it does not work. I would need some help from the community. Here below are my configs and debugs/errors i am seeing: # /etc/pam.d/radiusd - PAM configuration for FreeRADIUS # # We fall back to the system default in /etc/pam.d/common-* # @include common-auth @include common-account @include common-password @include common-session auth requisite pam_google_authenticator.so forward_pass auth required pam_winbind.so use_first_pass account required pam_permit.so # # /etc/pam.d/common-auth - authentication settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # here are the per-package modules (the "Primary" block) auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login # here's the fallback if no module succeeds # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around auth required pam_google_authenticator.so auth required pam_winbind.so auth required pam_permit.so auth requisite pam_deny.so # and here are more per-package modules (the "Additional" block) # end of pam-auth-update config Below is the error message i am getting when trying to authenticate, i am using <AD password><google-authenticator-token>: User-Name = "testuser" User-Password = "4c330e@3O7K5401206" NAS-Port = 577536 Called-Station-Id = "10.33.3.100" Calling-Station-Id = "10.1.3.10" NAS-Port-Type = Virtual Tunnel-Client-Endpoint:0 = "10.1.3.10" Cisco-AVPair = "mdm-tlv=device-platform=win" Cisco-AVPair = "mdm-tlv=device-mac=02-00-4c-4f-4f-50" Cisco-AVPair = "mdm-tlv=device-mac=f0-1f-af-3c-1d-b0" Cisco-AVPair = "mdm-tlv=device-type=Dell Inc. XPS L421X" Cisco-AVPair = "mdm-tlv=ac-user-agent=AnyConnect Windows 4.2.03013" Cisco-AVPair = "mdm-tlv=device-platform-version=6.1.7601 Service Pack 1" Cisco-AVPair = "mdm-tlv=device-uid=26CC5FF8D17E0CF5A9DDDBA2E53009E17488F0B66E780F33A635AA1A7ABC26B9" NAS-IP-Address = 10.33.4.100 Cisco-AVPair = "audit-session-id=0a2103640008d00057bdf75b" Cisco-AVPair = "ip:source-ip=10.1.3.10" Vendor-3076-Attr-146 = 0x4f414e444174657374 Vendor-3076-Attr-150 = 0x00000002 Cisco-AVPair = "coa-push=true" Wed Aug 24 15:43:43 2016 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default Wed Aug 24 15:43:43 2016 : Info: +- entering group authorize {...} Wed Aug 24 15:43:43 2016 : Info: ++[preprocess] returns ok Wed Aug 24 15:43:43 2016 : Info: ++[chap] returns noop Wed Aug 24 15:43:43 2016 : Info: ++[mschap] returns noop Wed Aug 24 15:43:43 2016 : Info: ++[digest] returns noop Wed Aug 24 15:43:43 2016 : Info: [suffix] No '@' in User-Name = "testuser", looking up realm NULL Wed Aug 24 15:43:43 2016 : Info: [suffix] No such realm "NULL" Wed Aug 24 15:43:43 2016 : Info: ++[suffix] returns noop Wed Aug 24 15:43:43 2016 : Info: [eap] No EAP-Message, not doing EAP Wed Aug 24 15:43:43 2016 : Info: ++[eap] returns noop Wed Aug 24 15:43:43 2016 : Info: [files] users: Matched entry DEFAULT at line 58 Wed Aug 24 15:43:43 2016 : Info: ++[files] returns ok Wed Aug 24 15:43:43 2016 : Info: ++[expiration] returns noop Wed Aug 24 15:43:43 2016 : Info: ++[logintime] returns noop Wed Aug 24 15:43:43 2016 : Info: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. Wed Aug 24 15:43:43 2016 : Info: ++[pap] returns noop Wed Aug 24 15:43:43 2016 : Info: Found Auth-Type = PAM Wed Aug 24 15:43:43 2016 : Info: # Executing group from file /etc/freeradius/sites-enabled/default Wed Aug 24 15:43:43 2016 : Info: +- entering group authenticate {...} Wed Aug 24 15:43:43 2016 : Debug: pam_pass: using pamauth string <radiusd> for pam.conf lookup Wed Aug 24 15:43:44 2016 : Debug: pam_pass: function pam_authenticate FAILED for <testuser>. Reason: Cannot make/remove an entry for the specified session Wed Aug 24 15:43:44 2016 : Info: ++[pam] returns reject Wed Aug 24 15:43:44 2016 : Info: Failed to authenticate the user. Wed Aug 24 15:43:44 2016 : Info: Using Post-Auth-Type Reject Wed Aug 24 15:43:44 2016 : Info: # Executing group from file /etc/freeradius/sites-enabled/default Wed Aug 24 15:43:44 2016 : Info: +- entering group REJECT {...} Wed Aug 24 15:43:44 2016 : Info: [attr_filter.access_reject] expand: %{User-Name} -> testuser Wed Aug 24 15:43:44 2016 : Debug: attr_filter: Matched entry DEFAULT at line 11 Wed Aug 24 15:43:44 2016 : Info: ++[attr_filter.access_reject] returns updated Wed Aug 24 15:43:44 2016 : Info: Delaying reject of request 0 for 1 seconds Wed Aug 24 15:43:44 2016 : Debug: Going to the next request Wed Aug 24 15:43:44 2016 : Debug: Waking up in 0.8 seconds. Wed Aug 24 15:43:44 2016 : Info: Sending delayed reject for request 0 Sending Access-Reject of id 180 to 10.33.4.100 port 29288 Wed Aug 24 15:43:44 2016 : Debug: Waking up in 4.9 seconds. Wed Aug 24 15:43:49 2016 : Info: Cleaning up request 0 ID 180 with timestamp +23 Wed Aug 24 15:43:49 2016 : Info: Ready to process requests. Below is the log from var/log/auth.log: Aug 24 15:43:43 oatr2radius01 freeradius: pam_winbind(radiusd:auth): getting password (0x00000380) Aug 24 15:43:44 oatr2radius01 freeradius: pam_winbind(radiusd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_LOGON_FAILURE, Error message was: Logon failure Aug 24 15:43:44 oatr2radius01 freeradius: pam_winbind(radiusd:auth): user 'testuser' denied access (incorrect password or invalid membership) Aug 24 15:43:44 oatr2radius01 radiusd(pam_google_authenticator)[10570]: Invalid verification code Aug 24 15:43:44 oatr2radius01 freeradius[10570]: pam_winbind(radiusd:auth): getting password (0x00000000) Aug 24 15:43:44 oatr2radius01 freeradius[10570]: pam_winbind(radiusd:auth): request wbcLogonUser failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_AUTH_ERR (7), NTSTATUS: NT_STATUS_WRONG_PASSWORD, Error message was: Wrong Password Aug 24 15:43:44 oatr2radius01 freeradius[10570]: pam_winbind(radiusd:auth): user 'testuser' denied access (incorrect password or invalid membership) However, i noticed when I only enter the AD password instead of AD Password+token, i get the following output: rad_recv: Access-Request packet from host 10.33.4.100 port 29288, id=181, length=612 User-Name = "testuser" User-Password = "4c330e@3O7K5" NAS-Port = 581632 Called-Station-Id = "10.33.3.100" Calling-Station-Id = "10.1.3.10" NAS-Port-Type = Virtual Tunnel-Client-Endpoint:0 = "10.1.3.10" Cisco-AVPair = "mdm-tlv=device-platform=win" Cisco-AVPair = "mdm-tlv=device-mac=02-00-4c-4f-4f-50" Cisco-AVPair = "mdm-tlv=device-mac=f0-1f-af-3c-1d-b0" Cisco-AVPair = "mdm-tlv=device-type=Dell Inc. XPS L421X" Cisco-AVPair = "mdm-tlv=ac-user-agent=AnyConnect Windows 4.2.03013" Cisco-AVPair = "mdm-tlv=device-platform-version=6.1.7601 Service Pack 1" Cisco-AVPair = "mdm-tlv=device-uid=26CC5FF8D17E0CF5A9DDDBA2E53009E17488F0B66E780F33A635AA1A7ABC26B9" NAS-IP-Address = 10.33.4.100 Cisco-AVPair = "audit-session-id=0a2103640008e00057bdf9bc" Cisco-AVPair = "ip:source-ip=10.1.3.10" Vendor-3076-Attr-146 = 0x4f414e444174657374 Vendor-3076-Attr-150 = 0x00000002 Cisco-AVPair = "coa-push=true" Wed Aug 24 15:53:53 2016 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default Wed Aug 24 15:53:53 2016 : Info: +- entering group authorize {...} Wed Aug 24 15:53:53 2016 : Info: ++[preprocess] returns ok Wed Aug 24 15:53:53 2016 : Info: ++[chap] returns noop Wed Aug 24 15:53:53 2016 : Info: ++[mschap] returns noop Wed Aug 24 15:53:53 2016 : Info: ++[digest] returns noop Wed Aug 24 15:53:53 2016 : Info: [suffix] No '@' in User-Name = "testuser", looking up realm NULL Wed Aug 24 15:53:53 2016 : Info: [suffix] No such realm "NULL" Wed Aug 24 15:53:53 2016 : Info: ++[suffix] returns noop Wed Aug 24 15:53:53 2016 : Info: [eap] No EAP-Message, not doing EAP Wed Aug 24 15:53:53 2016 : Info: ++[eap] returns noop Wed Aug 24 15:53:53 2016 : Info: [files] users: Matched entry DEFAULT at line 58 Wed Aug 24 15:53:53 2016 : Info: ++[files] returns ok Wed Aug 24 15:53:53 2016 : Info: ++[expiration] returns noop Wed Aug 24 15:53:53 2016 : Info: ++[logintime] returns noop Wed Aug 24 15:53:53 2016 : Info: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. Wed Aug 24 15:53:53 2016 : Info: ++[pap] returns noop Wed Aug 24 15:53:53 2016 : Info: Found Auth-Type = PAM Wed Aug 24 15:53:53 2016 : Info: # Executing group from file /etc/freeradius/sites-enabled/default Wed Aug 24 15:53:53 2016 : Info: +- entering group authenticate {...} Wed Aug 24 15:53:53 2016 : Debug: pam_pass: using pamauth string <radiusd> for pam.conf lookup Wed Aug 24 15:53:53 2016 : Debug: pam_pass: function pam_authenticate FAILED for <testuser>. Reason: Authentication failure Wed Aug 24 15:53:53 2016 : Info: ++[pam] returns reject Wed Aug 24 15:53:53 2016 : Info: Failed to authenticate the user. Wed Aug 24 15:53:53 2016 : Info: Using Post-Auth-Type Reject Wed Aug 24 15:53:53 2016 : Info: # Executing group from file /etc/freeradius/sites-enabled/default Wed Aug 24 15:53:53 2016 : Info: +- entering group REJECT {...} Wed Aug 24 15:53:53 2016 : Info: [attr_filter.access_reject] expand: %{User-Name} -> testuser Wed Aug 24 15:53:53 2016 : Debug: attr_filter: Matched entry DEFAULT at line 11 Wed Aug 24 15:53:53 2016 : Info: ++[attr_filter.access_reject] returns updated Wed Aug 24 15:53:53 2016 : Info: Delaying reject of request 1 for 1 seconds Wed Aug 24 15:53:53 2016 : Debug: Going to the next request Wed Aug 24 15:53:53 2016 : Debug: Waking up in 0.6 seconds. Wed Aug 24 15:53:54 2016 : Info: Sending delayed reject for request 1 Sending Access-Reject of id 181 to 10.33.4.100 port 29288 Wed Aug 24 15:53:54 2016 : Debug: Waking up in 4.9 seconds. Wed Aug 24 15:53:59 2016 : Info: Cleaning up request 1 ID 181 with timestamp +633 Wed Aug 24 15:53:59 2016 : Info: Ready to process requests. And /var/log/auth.log shows: Aug 24 15:53:53 oatr2radius01 freeradius[10570]: pam_winbind(radiusd:auth): getting password (0x00000380) Aug 24 15:53:53 oatr2radius01 freeradius[10570]: pam_winbind(radiusd:auth): user 'testuser' granted access Aug 24 15:53:53 oatr2radius01 freeradius[10570]: pam_winbind(radiusd:auth): getting password (0x00000000) Aug 24 15:53:53 oatr2radius01 freeradius[10570]: pam_winbind(radiusd:auth): user 'testuser' granted access I sincerely hope that someone can help me out Thanks Guys!
On Sep 22, 2016, at 4:03 PM, Nawaz Hosany <mnhosany@gmail.com> wrote:
Hi Guys I am trying to configure Google Authenticator to work with Windbind for VPN using Cisco Anyconnect on Ubuntu . Windbind works fine without Google Authenticator., but combined it does not work. I would need some help from the community. Here below are my configs and debugs/errors i am seeing:
# /etc/pam.d/radiusd - PAM configuration for FreeRADIUS
Hmm... using PAM isn't recommended. PAM is generally intended for applications which authenticate a user once. We've seen issues in the past with memory leaks and performance problems.
Wed Aug 24 15:43:43 2016 : Debug: pam_pass: using pamauth string <radiusd> for pam.conf lookup Wed Aug 24 15:43:44 2016 : Debug: pam_pass: function pam_authenticate FAILED for <testuser>. Reason: Cannot make/remove an entry for the specified session
Well, that's a PAM issue. You should ask the PAM people why their software doesn't work. FreeRADIUS has native winbind support in recent versions. I think it's relatively simple to add google authenticator support. There's even Perl code: http://blog.darkpan.com/article/6/Perl-and-Google-Authenticator.html TBH, we've had bad luck with third-party "authentication" systems. They are buggy, opaque, and produce either no debug messages, or entirely useless debug messages. In contrast, FreeRADIUS works, it's stable, and it tells you exactly what it's doing and why. If anyone has time, it shouldn't be hard to write some C code to implement the google authenticator algorithm,. We could then add it as a native module to the server. Alan DeKok.
On Fri, Sep 23, 2016 at 09:03:50AM -0400, Alan DeKok wrote:
On Sep 22, 2016, at 4:03 PM, Nawaz Hosany <mnhosany@gmail.com> wrote:
Wed Aug 24 15:43:43 2016 : Debug: pam_pass: using pamauth string <radiusd> for pam.conf lookup Wed Aug 24 15:43:44 2016 : Debug: pam_pass: function pam_authenticate FAILED for <testuser>. Reason: Cannot make/remove an entry for the specified session
FreeRADIUS has native winbind support in recent versions. I think it's relatively simple to add google authenticator support. There's even Perl code:
Agreed. I'd start on this by splitting the password out into password/code in FreeRADIUS, then just checking both. You can use ntlm_auth in up to version 3.0, and rlm_winbind if you want to try it in v3.1. Then it's just a matter of also checking the GA code is correct, maybe with that Perl code. Avoids using PAM entirely. Which is a good thing.
If anyone has time, it shouldn't be hard to write some C code to implement the google authenticator algorithm,. We could then add it as a native module to the server.
I like all the parts of that apart from the "has time..." bit :( Doubt it would be a hard module to write, though. Matthew -- Matthew Newton, Ph.D. <mcn4@leicester.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
participants (3)
-
Alan DeKok -
Matthew Newton -
Nawaz Hosany