Freeradius + Active Directory + Google 验证器
Freeradius + Active Directory + Google Authenticator
我一直在尝试让 VPN 用户使用 2FA(Google 身份验证器)进行身份验证。目前我有 Cisco ISE、FreeRadius 服务器和 Active Directory。我想要实现的是当用户连接到 VPN (Cisco ISE) 时,服务器从 Radius 服务器请求用户,然后 Radius 服务器从 Active Directory 验证用户。如果用户身份验证成功,FreeRadius 服务器必须向用户请求 OTP。我的配置是:
/etc/raddb/sites-enabled/default
server default {
listen {
type = auth
ipaddr = 1.1.1.1
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
ipaddr = *
port = 0
type = acct
}
authorize {
filter_username
preprocess
chap
mschap
digest
suffix
eap {
ok = return
}
files
-sql
ldap
if ((ok || updated) && User-Password && !control:Auth-Type){
update {
control:Auth-Type := ldap
}
}
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
mschap
digest
Auth-Type LDAP {
ldap
}
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
-sql
exec
attr_filter.accounting_response
}
session {
}
post-auth {
if (Google-Password) {
update request {
pam
}
}
else {
update reply {
&Google-Password = "%{Google-Password}"
}
}
update {
&reply: += &session-state:
}
-sql
exec
remove_reply_message_if_eap
Post-Auth-Type REJECT {
-sql
attr_filter.access_reject
eap
remove_reply_message_if_eap
}
Post-Auth-Type Challenge {
}
}
pre-proxy {
}
post-proxy {
eap
}
}
/etc/raddb/clients.conf
client CISCO_ISE {
ipaddr = 1.1.1.2
proto = *
secret = testing123
require_message_authenticator = no
nas_type = other
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
/etc/raddb/mods-config/files/authorize
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP
/etc/pam.d/radiusd
auth requisite pam_google_authenticator.so forward_pass
使用此配置,FreeRadius 服务器要求输入用户名和密码,但在广告身份验证服务器不要求输入一次性密码后
问题已解决。对于那些正在配置确切设置的人,您需要使用 state attribute 与会话或 cookie 相同的东西。如果请求有 state attribute,则将身份验证方法更改为 PAM,它将检查令牌。否则,如果请求没有 state attribute 那么这是第一次请求,您需要通过 Active Directory
进行身份验证
我一直在尝试让 VPN 用户使用 2FA(Google 身份验证器)进行身份验证。目前我有 Cisco ISE、FreeRadius 服务器和 Active Directory。我想要实现的是当用户连接到 VPN (Cisco ISE) 时,服务器从 Radius 服务器请求用户,然后 Radius 服务器从 Active Directory 验证用户。如果用户身份验证成功,FreeRadius 服务器必须向用户请求 OTP。我的配置是: /etc/raddb/sites-enabled/default
server default {
listen {
type = auth
ipaddr = 1.1.1.1
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
ipaddr = *
port = 0
type = acct
}
authorize {
filter_username
preprocess
chap
mschap
digest
suffix
eap {
ok = return
}
files
-sql
ldap
if ((ok || updated) && User-Password && !control:Auth-Type){
update {
control:Auth-Type := ldap
}
}
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
mschap
digest
Auth-Type LDAP {
ldap
}
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
-sql
exec
attr_filter.accounting_response
}
session {
}
post-auth {
if (Google-Password) {
update request {
pam
}
}
else {
update reply {
&Google-Password = "%{Google-Password}"
}
}
update {
&reply: += &session-state:
}
-sql
exec
remove_reply_message_if_eap
Post-Auth-Type REJECT {
-sql
attr_filter.access_reject
eap
remove_reply_message_if_eap
}
Post-Auth-Type Challenge {
}
}
pre-proxy {
}
post-proxy {
eap
}
}
/etc/raddb/clients.conf
client CISCO_ISE {
ipaddr = 1.1.1.2
proto = *
secret = testing123
require_message_authenticator = no
nas_type = other
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
/etc/raddb/mods-config/files/authorize
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP
/etc/pam.d/radiusd
auth requisite pam_google_authenticator.so forward_pass
使用此配置,FreeRadius 服务器要求输入用户名和密码,但在广告身份验证服务器不要求输入一次性密码后
问题已解决。对于那些正在配置确切设置的人,您需要使用 state attribute 与会话或 cookie 相同的东西。如果请求有 state attribute,则将身份验证方法更改为 PAM,它将检查令牌。否则,如果请求没有 state attribute 那么这是第一次请求,您需要通过 Active Directory