Contemplating change to FreeRadius configuration....

Eero Volotinen eero.volotinen at iki.fi
Mon Jan 21 21:33:53 CET 2019 

Hi,

check this document out
https://github.com/rharmonson/richtech/wiki/CentOS-7-Minimal-&-Two-factor-Authentication-using-FreeRADIUS-3,-SSSD-1.12,-&-Google-Authenticator

It might work.

Eero


On Mon, Jan 21, 2019, 22:14 Mark J. Bobak <mark at bobak.net wrote:

> Hi all,
>
> I've been on this list for a while, but I'm mostly just a lurker.
>
> But, I wanted to run a thought by folks here, before I spend too much time
> on the effort.
>
> Currently, I'm running Freeradius 3.0.13 (which I think was current when we
> installed) on RedHat Enterprise Linux 7 (7.6).
>
> I have a very simple implementation, using FreeRadius, Google
> Authenticator, and Linux.  I create an account in Linux, and each Linux
> account has a Google Authenticator component, and I use FreeRadius as the
> backend to authenticate VPN users, coming from a Dell Sonicall TZ400.
>
> All this works with no issue.  (The main reason I've been so quiet on this
> list. ;-))
>
> Users come in from VPN, supply username, password, and Google auth OTP, and
> FreeRadius authenticates them.  The users are defined in Linux, on the
> FreeRadius server itself.
>
> Since I first set this up a couple of years ago, we have made some changes,
> including moving to a Samba backend to do Active Directory authentication
> for Windows logins.
>
> So, my question is, instead of maintaining a separate database for VPN, is
> it possible (and how hard) to make my Samba server be the backend?  So,
> when we add a user to the Samba AD server, they will gain VPN login access,
> in addition to the Windows domain for Windows login access.
>
> If I go that way, would the Google Auth stuff have to move over to the
> Samba server?  Would two-factor auth apply to Windows domain login as well
> as VPN access?  (That may be a Samba question, sorry.)  Would the
> FreeRadius server need to move to the Samba server?
>
> Has anyone dome something like this?  Was it difficult?
>
> I'm a little bit loathe to change a configuration that has been working so
> well for so long....but as we grow, I'm willing to bet it will pay for
> itself in time saved.
>
> Any helpful hints?  Pointers to docs?
>
> All comments are much appreciated.
>
> Thanks,
>
> -Mark
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list