Freeradius and 2 Factor Authentication
Aaron.Smith at kzoo.edu
Wed Jun 1 16:41:14 CEST 2016
I've been working on setting up a Microsoft Routing and Remote Access server that uses Freeradius for Authentication. Out of the box, it works fine with simple user entries in the "users" file. This is with both the Ubuntu 14.04 apt-get installations of Freeradius (2.1.x) as well as a compiled from source version of Freeradius 2.2.9. I run in to trouble when I try to add two factor authentication to the mix. I'm trying to use LinOTP as a possible replacement of our CryptoCard Blackshield implementation. The problem is that both products seem to only work with unencrypted passwords. LinOTP has two options for Freeradius authentication. There is a linotp2 module that can be compiled and installed along with Freeradius, and there is also a perl script that can be linked in with the rlm_perl module. Looking at the perl script, it is expecting to find the attribute "User-Password" in the radius request, which it uses, along with the username, to go to a web URL on the LinOTP server to verify authentication. I suspect that the linotp2 module works similarly. The documentation provided by LinOTP says to set "DEFAULT Auth-Type := linotp2" if you're using the module or "DEFAULT Auth-Type := perl" if you're using the perl script in the freeradius users file. Now, this will "work" for narrow authentication types like Microsoft's SSTP with an unencrypted password, but I'd like this solution to be more widely usable (Macs, iOS devices, etc) and use something like IKEv2, but that uses EAP-MSCHapv2. If I try that, the authentication fails saying there is no password.
My question is...am I tilting at windmills trying to make this work? I feel like it *should* be possible to do 2 factor authentication without having to resort to PPTP/unecrypted password or microsoft's proprietary SSTP. Is there a way to have freeradius pass the MSChapv2 password to a perl script or another module? Or perhaps it's possible to modify the perl script so it can accept an encrypted password? I feel like maybe there's a way to configure authentication in the "inner-tunnel" freeradius site that would make this possible. EAP-MSChapv2 authentication works with a plain, unencrypted password in the users file, so it obviously HAS the password that the user sends in SOME fashion.
A secondary question is that I imagine I can't be the first person to use Freeradius with 2 factor authentication. I'd be curious to know how other folks have tackled this project and what products they used to accomplish it.
1200 Academy Street, Kalamazoo, MI 49006
Aaron.Smith at kzoo.edu
More information about the Freeradius-Users