Radius with Google Authenticator/LDAP

Daniel Lumb daniel.lumb at outlook.com
Tue Jul 24 12:41:06 CEST 2018

Hi all,

First time using FreeRadius so apologies if these aren’t great questions but I’ve done a fair amount of internet trawling and haven’t found anything that addresses my issue.

So, I’m looking to configure FreeRadius as an authentication source for a Cisco VPN with 2FA. I’d like to use Google authenticator for the second factor.

There are plenty of guides on integrating Google authenticator with FreeRadius, which appear to point FreeRadius to use PAM and then add the Google authenticator config to the Radius PAM stack.

In all of these examples, the OTP code must be entered on the end of the user password in the same input field, which is fine. The issue is that all of these examples use local linux users in the PAM stack, like this:

#@include common-auth

#@include common-account

#@include common-password

#@include common-session

auth requisite pam_google_authenticator.so forward_pass

auth required pam_unix.so use_first_pass

I currently have Radius setup to authenticate against LDAP (Through the FreeRadius config itself, nothing to do with PAM) - is there a way that I can use the LDAP account as a the second part of this 2FA rather than a local account?

It seems that it will have to involve PAM because as part of the google authenticator setup you have to tell FreeRadius to use PAM in the authorize/authenticate config.

Any advice? Is it just a case of picking a different source for the OTP that is better integrated with FreeRadius?



More information about the Freeradius-Users mailing list