Freeradius with Windbind and Google authenticator issues with Cisco Anyconnect VPN
Matthew Newton
mcn4 at leicester.ac.uk
Fri Sep 23 16:23:32 CEST 2016
On Fri, Sep 23, 2016 at 09:03:50AM -0400, Alan DeKok wrote:
> On Sep 22, 2016, at 4:03 PM, Nawaz Hosany <mnhosany at gmail.com> wrote:
> > Wed Aug 24 15:43:43 2016 : Debug: pam_pass: using pamauth string <radiusd>
> > for pam.conf lookup
> > Wed Aug 24 15:43:44 2016 : Debug: pam_pass: function pam_authenticate
> > FAILED for <testuser>. Reason: Cannot make/remove an entry for the
> > specified session
>
> FreeRADIUS has native winbind support in recent versions. I
> think it's relatively simple to add google authenticator
> support. There's even Perl code:
Agreed. I'd start on this by splitting the password out into
password/code in FreeRADIUS, then just checking both. You can use
ntlm_auth in up to version 3.0, and rlm_winbind if you want to try
it in v3.1.
Then it's just a matter of also checking the GA code is correct,
maybe with that Perl code.
Avoids using PAM entirely. Which is a good thing.
> If anyone has time, it shouldn't be hard to write some C code
> to implement the google authenticator algorithm,. We could
> then add it as a native module to the server.
I like all the parts of that apart from the "has time..." bit :(
Doubt it would be a hard module to write, though.
Matthew
--
Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the Freeradius-Users
mailing list