时间戳

首页 > 解决方案 > Freeradius + Active Directory + Google Authenticator

freeradius - Freeradius + Active Directory + Google Authenticator

问题描述

我一直在尝试让 VPN 用户使用 2FA(Google 身份验证器)进行身份验证。目前我有思科 ISE、FreeRadius 服务器、Active Directory。我想要实现的是当用户连接到 VPN(思科 ISE)时,服务器从 Radius 服务器请求用户,然后 Radius 服务器从 Active Directory 验证用户。如果用户成功通过身份验证,FreeRadius 服务器必须向用户请求 OTP。我的配置是: /etc/raddb/sites-enabled/default

server default {
    listen {
        type = auth
        ipaddr = 1.1.1.1
        port = 0
        limit {
            max_connections = 16
            lifetime = 0
            idle_timeout = 30
        }
    }
    listen {
        ipaddr = *
        port = 0
        type = acct
    }
    authorize {
        filter_username
        preprocess
        chap
        mschap
        digest
        suffix
        eap {
            ok = return
        }
        files
        -sql
        ldap
        if ((ok || updated) && User-Password && !control:Auth-Type){
            update {
                control:Auth-Type := ldap
            }
        }
        expiration
        logintime
        pap
    }

    authenticate {
        Auth-Type PAP {
            pap
        }
        Auth-Type CHAP {
            chap
        }
        Auth-Type MS-CHAP {
            mschap
        }
        mschap
        digest
        Auth-Type LDAP {
            ldap
        }
        eap
    }
    preacct {
        preprocess
        acct_unique
        suffix
        files
    }
    accounting {
        detail
        unix
        -sql
        exec
        attr_filter.accounting_response
    }
    session {
    }
    post-auth {
        if (Google-Password) {
            update request {
                pam
            }
        }
        else {
            update reply {
                &Google-Password = "%{Google-Password}"
            }
        }
        update {
            &reply: += &session-state:
        }
        -sql
        exec
        remove_reply_message_if_eap
        Post-Auth-Type REJECT {
            -sql
            attr_filter.access_reject
            eap
            remove_reply_message_if_eap
        }
        Post-Auth-Type Challenge {
        }
    }
    pre-proxy {
    }
    post-proxy {
        eap
    }
}

/etc/raddb/clients.conf

client CISCO_ISE {
        ipaddr = 1.1.1.2
        proto = *
        secret = testing123
        require_message_authenticator = no
        nas_type         = other
        limit {
                max_connections = 16
                lifetime = 0
                idle_timeout = 30
        }
}

/etc/raddb/mods-config/files/authorize

DEFAULT Framed-Protocol == PPP
    Framed-Protocol = PPP,
    Framed-Compression = Van-Jacobson-TCP-IP

DEFAULT Hint == "CSLIP"
    Framed-Protocol = SLIP,
    Framed-Compression = Van-Jacobson-TCP-IP

DEFAULT Hint == "SLIP"
    Framed-Protocol = SLIP

/etc/pam.d/radiusd

auth            requisite       pam_google_authenticator.so forward_pass

使用此配置,FreeRadius 服务器会要求输入用户名和密码,但在广告身份验证后,服务器不会要求输入一次密码

标签: freeradiusone-time-passwordgoogle-authenticator

解决方案

解决了这个问题。对于那些正在配置精确设置的人,您需要使用state attribute与会话或 cookie 相同的东西。如果请求已将state attribute身份验证方法更改为 PAM,它将检查令牌。否则,如果请求没有,state attribute那么这是您需要通过身份验证的第一次请求Active Directory

推荐阅读