Freeradius with Windbind and Google authenticator issues with Cisco Anyconnect VPN
aland at deployingradius.com
Fri Sep 23 15:03:50 CEST 2016
On Sep 22, 2016, at 4:03 PM, Nawaz Hosany <mnhosany at gmail.com> wrote:
> Hi Guys
> I am trying to configure Google Authenticator to work with Windbind for VPN
> using Cisco Anyconnect on Ubuntu . Windbind works fine without Google
> Authenticator., but combined it does not work.
> I would need some help from the community. Here below are my configs and
> debugs/errors i am seeing:
> # /etc/pam.d/radiusd - PAM configuration for FreeRADIUS
Hmm... using PAM isn't recommended. PAM is generally intended for applications which authenticate a user once. We've seen issues in the past with memory leaks and performance problems.
> Wed Aug 24 15:43:43 2016 : Debug: pam_pass: using pamauth string <radiusd>
> for pam.conf lookup
> Wed Aug 24 15:43:44 2016 : Debug: pam_pass: function pam_authenticate
> FAILED for <testuser>. Reason: Cannot make/remove an entry for the
> specified session
Well, that's a PAM issue. You should ask the PAM people why their software doesn't work.
FreeRADIUS has native winbind support in recent versions. I think it's relatively simple to add google authenticator support. There's even Perl code:
TBH, we've had bad luck with third-party "authentication" systems. They are buggy, opaque, and produce either no debug messages, or entirely useless debug messages. In contrast, FreeRADIUS works, it's stable, and it tells you exactly what it's doing and why.
If anyone has time, it shouldn't be hard to write some C code to implement the google authenticator algorithm,. We could then add it as a native module to the server.
More information about the Freeradius-Users