FW: FreeRadius - Integrate FreeRadius with Google Authenticator
Eero Volotinen
eero.volotinen at iki.fi
Wed Jan 20 06:01:46 CET 2021
You mainly need some way to setup google authenticator for users.
I used some scripts with webgui to setup account in way that user can set
it without ”it heldesk support”.
Eero
On Wed 20. Jan 2021 at 4.33, YewFong.Chua at fujitsu.com <
YewFong.Chua at fujitsu.com> wrote:
> Hi Cornelius,
>
> Thanks for your reply. Aside from Eero replied to use the following url
> link to configure freeradius to work with google authenticator.
>
> https://networkjutsu.com/freeradius-google-authenticator/
>
> May I know how do you enrol the individual user using google authenticator
> app to work with freeradius? As I saw, one of the article mentioning about
> securing SSH with Google Authenticator and I am not sure whether this is
> the step to enrol the individual user to use the google authenticator app
> as the token to enrol to the freeradius.
>
> https://networkjutsu.com/ssh-google-authenticator/
>
> Sorry that I am new to freeradius and would like to understand more so
> that we could setup the freeradius to work with google authenticator
> portion.
>
> Also, I am aware that the CyberArk portion might be out of scope of the
> mailing list. But I would like to explain detailed, so that I could seek
> for your help correctly on freeradius.
>
> So based on CyberArk portion, user will logon to a web portal via their
> ldap account followed by the google authenticator, OTP. In order for the
> user to logon successfully to CyberArk web portal.
>
> So I am assuming that, the CyberArk will talk to the ldap server for the
> ldap login then once the ldap authentication matches what is in CyberArk.
> Then CyberArk will talk to freeradius to match the OTP that is key by user
> after viewing the google authenticator app. This is what generally how the
> CyberArk works for their web portal login using 2FA solution (LDAP and
> Radius Authentication).
>
> Come back to the FreeRadius, if that is the case for CyberArk. Do we need
> to integrate the FreeRadius with ldap? Or we can just join the Ubuntu
> server to the specific domain will do?
>
> As I have seen a few radius products like RSA and SecurEnvoy they need to
> use a bind account to pull user information from ldap server. Not sure
> whether FreeRadius also requires that?
>
> Regards,
> Yew Fong
>
>
>
>
>
> -----Original Message-----
> From: Freeradius-Users <freeradius-users-bounces+yewfong.chua=
> fujitsu.com at lists.freeradius.org> On Behalf Of Cornelius Kölbel via
> Freeradius-Users
> Sent: Wednesday, January 20, 2021 1:10 AM
> To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
> Cc: Cornelius Kölbel <cornelius.koelbel at netknights.it>
> Subject: Re: FW: FreeRadius - Integrate FreeRadius with Google
> Authenticator
>
> Hello Yew Fong,
>
> these are some very detailed, conceptual questions, which might be out of
> scope of the mailing list.
>
> see below...
>
> Am Dienstag, den 19.01.2021, 05:11 +0000 schrieb
> YewFong.Chua at fujitsu.com:
> > Hi Members of FreeRadius,
> >
> > I would like to check whether, does FreeRadius has a proper guide or
> > step for us to integrate FreeRadius with Google Authenticator?
> >
> > Also, we have a few concern mentioned below and not sure whether
> > FreeRadius is able to highlight our concern:
> >
> >
> > 1) Can FreeRadius installed on the latest Ubuntu server 20.04?
>
> Yes, via apt.
>
> >
> > 2) How can we integrate FreeRadius with Google Authenticator? Is
> > there any guide or proper step we can follow?
>
> In addition to the link Eero sent, you might want to take a look at our
> 2FA management solution privacyIDEA. https://privacyidea.org It comes
> with a FreeRADIUS plugin based on rlm_perl and allows for bigger approach
> and management.
>
>
> >
> > 3) Understand that CyberArk which is a Privileged Access
> > Management solution can work with FreeRadius by configuring the Radius
> > Configuration on CyberArk to talk to FreeRadius. May I know whether
> > any additional configuration (Other than creating Radius Client on
> > FreeRadius) that is required to be done on FreeRadius side in order
> > for FreeRadius with Google Authenticator to works?
>
> The important question is, if cyberark is reauthenticating the user during
> a session. If it sends a cached password after a certain amount of time,
> the user will be logged out, since the OTP is not valid anymore.
> Sounds strange - but there are in fact applications that do such stuff.
>
> Besides that, it should(TM) work.
>
>
> >
> > 4) Also, whether is there any proper step for the following
> > tasks:
> >
> > a. Patch for FreeRadius application.
> >
> > b. Patch for Ubuntu server that is installed with FreeRadius
> >
> > c. Step to harden the Ubuntu server
> >
> > d. Assume that Google Authenticator can upgrade, just as it is
> > and it will not affect the FreeRadius?
>
> This depends on the way you want to go.
> You do not need to patch FreeRADIUS.
> In any way you only need to configure it.
> Hardening your Ubuntu should be topic somewhere else.
>
> Regards,
> Cornelius
>
>
> >
> > Regards,
> > Yew Fong
> >
> > Off-in-Lieu
> > Planning: Nil
> >
> > Annual Leave
> > Planning: 22nd, 28th & 29th Jan 2021
> > 15th to 19th
> <https://www.google.com/maps/search/15th+to+19th+?entry=gmail&source=g>Feb
> 2021
> >
> > National Reservist Leave
> > Nil
> >
> > Fujitsu Asia Pte Ltd
> > Nexus @One-North
> > 1 Fusionopolis Link, #04-01
> > Singapore 138542
> > DID: +65 6512 7525
> > Mobile: +65 9794 6548
> > E-mail: yewfong.chua at fujitsu.com<mailto:yewfong.chua at fujitsu.com>
> > Web: http://sg.fujitsu.com<http://sg.fujitsu.com/>; | LinkedIn:
> > www.linkedin.com/company/fujitsu-asia<http://www.linkedin.com/company/
> > fujitsu-asia>
> > ;
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> --
> Cornelius Kölbel
> cornelius.koelbel at netknights.it
> Tel:+49-561-9979-1540
>
> NetKnights GmbH https://www.netknights.it
> Ludwig-Erhard-Str. 12, 34131 Kassel, Germany
> Tel:+49-561-3166797 Fax:+49-561-3166798
>
> Amtsgericht Kassel HRB 16405
> Geschäftsführer: Cornelius Kölbel
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list