Free Radius + Google Authenticator + MS AD, authentication issue

classic Classic list List threaded Threaded
3 messages Options
| Threaded
Open this post in threaded view
|

Free Radius + Google Authenticator + MS AD, authentication issue

yayali2003
This post was updated on .
Hi there,

I'm setting up Free Radius + Google Authenticator + MS AD for our VPN access, it's working with ad account password + token, but it also authenticates with token only. Did I miss any configuration or where should I look into. Below is our current radiusd file config. any comments are appreciated.

# /etc/pam.d/radiusd - PAM configuration for FreeRADIUS
#

# We fall back to the system default in /etc/pam.d/common-*
#

#@include common-auth
#@include common-account
#@include common-password
#@include common-session
auth requisite /usr/local/lib/security/pam_google_authenticator.so forward_pass


I refer to the post link below, but I'm not sure where to configure to split password and read real password+google token via PAM
 
 http://freeradius.1045715.n5.nabble.com/Radius-with-Google-Authenticator-LDAP-td5751048.html


Yayali

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Free Radius + Google Authenticator + MS AD, authentication issue

Nathan Ward
Hi,

> On 11/01/2019, at 8:13 AM, yaya li <[hidden email]> wrote:
>
> Hi there,
>
> I'm setting up Free Radius + Google Authenticator + MS AD for our VPN access, it's working with ad account password + token, but it also authenticates with token only. Did I miss any configuration or where should I look into. Below is our current radiusd file config. any comments are appreciated.
>
> # /etc/pam.d/radiusd - PAM configuration for FreeRADIUS
> #
>
> # We fall back to the system default in /etc/pam.d/common-*
> #
>
> #@include common-auth
> #@include common-account
> #@include common-password
> #@include common-session
> auth requisite /usr/local/lib/security/pam_google_authenticator.so forward_pass

This is PAM configuration. PAM is a seperate system. FreeRADIUS can use PAM to authenticate users, however, configuring PAM isn’t part of FreeRADIUS.

This PAM configuration is *only* checking the pam_google_authenticator module. It isn’t checking any other modules, such as AD.

Perhaps you have configured FreeRADIUS to check AD, and PAM, and accept either rather than requiring both?

How about you post your FreeRADIUS debug? Please see https://wiki.freeradius.org/guide/Users-Mailing-List <https://wiki.freeradius.org/guide/Users-Mailing-List>

--
Nathan Ward

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Free Radius + Google Authenticator + MS AD, authentication issue

yayali2003
Thanks Nathan,

I fixed the issue by adding the line in radiusd file, so the system will check the account password first.  thanks again.

auth required pam_winbind.so use_first_pass

yayali
________________________________
From: Freeradius-Users <freeradius-users-bounces+yayali2003=[hidden email]> on behalf of Nathan Ward <[hidden email]>
Sent: January 11, 2019 0:51
To: FreeRadius users mailing list
Subject: Re: Free Radius + Google Authenticator + MS AD, authentication issue

Hi,

> On 11/01/2019, at 8:13 AM, yaya li <[hidden email]> wrote:
>
> Hi there,
>
> I'm setting up Free Radius + Google Authenticator + MS AD for our VPN access, it's working with ad account password + token, but it also authenticates with token only. Did I miss any configuration or where should I look into. Below is our current radiusd file config. any comments are appreciated.
>
> # /etc/pam.d/radiusd - PAM configuration for FreeRADIUS
> #
>
> # We fall back to the system default in /etc/pam.d/common-*
> #
>
> #@include common-auth
> #@include common-account
> #@include common-password
> #@include common-session
> auth requisite /usr/local/lib/security/pam_google_authenticator.so forward_pass

This is PAM configuration. PAM is a seperate system. FreeRADIUS can use PAM to authenticate users, however, configuring PAM isn’t part of FreeRADIUS.

This PAM configuration is *only* checking the pam_google_authenticator module. It isn’t checking any other modules, such as AD.

Perhaps you have configured FreeRADIUS to check AD, and PAM, and accept either rather than requiring both?

How about you post your FreeRADIUS debug? Please see https://wiki.freeradius.org/guide/Users-Mailing-List <https://wiki.freeradius.org/guide/Users-Mailing-List>

--
Nathan Ward

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html