FW: FreeRadius - Integrate FreeRadius with Google Authenticator

YewFong.Chua at fujitsu.com YewFong.Chua at fujitsu.com
Wed Jan 20 03:32:06 CET 2021

Hi Cornelius,

Thanks for your reply. Aside from Eero replied to use the following url link to configure freeradius to work with google authenticator.


May I know how do you enrol the individual user using google authenticator app to work with freeradius? As I saw, one of the article mentioning about securing SSH with Google Authenticator and I am not sure whether this is the step to enrol the individual user to use the google authenticator app as the token to enrol to the freeradius. 


Sorry that I am new to freeradius and would like to understand more so that we could setup the freeradius to work with google authenticator portion.

Also, I am aware that the CyberArk portion might be out of scope of the mailing list. But I would like to explain detailed, so that I could seek for your help correctly on freeradius.

So based on CyberArk portion, user will logon to a web portal via their ldap account followed by the google authenticator, OTP. In order for the user to logon successfully to CyberArk web portal.

So I am assuming that, the CyberArk will talk to the ldap server for the ldap login then once the ldap authentication matches what is in CyberArk. Then CyberArk will talk to freeradius to match the OTP that is key by user after viewing the google authenticator app. This is what generally how the CyberArk works for their web portal login using 2FA solution (LDAP and Radius Authentication).

Come back to the FreeRadius, if that is the case for CyberArk. Do we need to integrate the FreeRadius with ldap? Or we can just join the Ubuntu server to the specific domain will do?

As I have seen a few radius products like RSA and SecurEnvoy they need to use a bind account to pull user information from ldap server. Not sure whether FreeRadius also requires that?

Yew Fong

-----Original Message-----
From: Freeradius-Users <freeradius-users-bounces+yewfong.chua=fujitsu.com at lists.freeradius.org> On Behalf Of Cornelius Kölbel via Freeradius-Users
Sent: Wednesday, January 20, 2021 1:10 AM
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Cc: Cornelius Kölbel <cornelius.koelbel at netknights.it>
Subject: Re: FW: FreeRadius - Integrate FreeRadius with Google Authenticator

Hello Yew Fong,

these are some very detailed, conceptual questions, which might be out of scope of the mailing list.

see below...

Am Dienstag, den 19.01.2021, 05:11 +0000 schrieb
YewFong.Chua at fujitsu.com:
> Hi Members of FreeRadius,
> I would like to check whether, does FreeRadius has a proper guide or 
> step for us to integrate FreeRadius with Google Authenticator?
> Also, we have a few concern mentioned below and not sure whether 
> FreeRadius is able to highlight our concern:
> 1)      Can FreeRadius installed on the latest Ubuntu server 20.04?

Yes, via apt.

> 2)      How can we integrate FreeRadius with Google Authenticator? Is
> there any guide or proper step we can follow?

In addition to the link Eero sent, you might want to take a look at our 2FA management solution privacyIDEA. https://privacyidea.org It comes with a FreeRADIUS plugin based on rlm_perl and allows for bigger approach and management.

> 3)      Understand that CyberArk which is a Privileged Access
> Management solution can work with FreeRadius by configuring the Radius 
> Configuration on CyberArk to talk to FreeRadius. May I know whether 
> any additional configuration (Other than creating Radius Client on 
> FreeRadius) that is required to be done on FreeRadius side in order 
> for FreeRadius with Google Authenticator to works?

The important question is, if cyberark is reauthenticating the user during a session. If it sends a cached password after a certain amount of time, the user will be logged out, since the OTP is not valid anymore.
Sounds strange - but there are in fact applications that do such stuff.

Besides that, it should(TM) work.

> 4)      Also, whether is there any proper step for the following
> tasks:
> a.       Patch for FreeRadius application.
> b.       Patch for Ubuntu server that is installed with FreeRadius
> c.       Step to harden the Ubuntu server
> d.       Assume that Google Authenticator can upgrade, just as it is
> and it will not affect the FreeRadius?

This depends on the way you want to go.
You do not need to patch FreeRADIUS.
In any way you only need to configure it.
Hardening your Ubuntu should be topic somewhere else.


> Regards,
> Yew Fong
> Off-in-Lieu
> Planning: Nil
> Annual Leave
> Planning: 22nd, 28th & 29th Jan 2021
>                   15th to 19th Feb 2021
> National Reservist Leave
> Nil
> Fujitsu Asia Pte Ltd
> Nexus @One-North
> 1 Fusionopolis Link, #04-01
> Singapore 138542
> DID: +65 6512 7525
> Mobile: +65 9794 6548
> E-mail: yewfong.chua at fujitsu.com<mailto:yewfong.chua at fujitsu.com>
> Web: http://sg.fujitsu.com<http://sg.fujitsu.com/>; | LinkedIn: 
> www.linkedin.com/company/fujitsu-asia<http://www.linkedin.com/company/
> fujitsu-asia>
> ;
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
Cornelius Kölbel
cornelius.koelbel at netknights.it
NetKnights GmbH    https://www.netknights.it
Ludwig-Erhard-Str. 12, 34131 Kassel, Germany
Tel:+49-561-3166797      Fax:+49-561-3166798
Amtsgericht Kassel      HRB 16405
Geschäftsführer: Cornelius Kölbel

More information about the Freeradius-Users mailing list