Search code examples
freeradiusone-time-passwordgoogle-authenticator

Freeradius + Active Directory + Google Authenticator

I've been trying to make VPN users authenticate with 2FA (Google authenticator). At the moment I have Cisco ISE, FreeRadius Server, Active Directory. What I want to achieve is when a user connects to VPN (Cisco ISE) the server ask for user from Radius server then Radius server authenticate user from Active Directory. If user is authenticated successfully the FreeRadius server must ask for OTP from user. My configuration is : /etc/raddb/sites-enabled/default

server default {
    listen {
        type = auth
        ipaddr = 1.1.1.1
        port = 0
        limit {
            max_connections = 16
            lifetime = 0
            idle_timeout = 30
        }
    }
    listen {
        ipaddr = *
        port = 0
        type = acct
    }
    authorize {
        filter_username
        preprocess
        chap
        mschap
        digest
        suffix
        eap {
            ok = return
        }
        files
        -sql
        ldap
        if ((ok || updated) && User-Password && !control:Auth-Type){
            update {
                control:Auth-Type := ldap
            }
        }
        expiration
        logintime
        pap
    }

    authenticate {
        Auth-Type PAP {
            pap
        }
        Auth-Type CHAP {
            chap
        }
        Auth-Type MS-CHAP {
            mschap
        }
        mschap
        digest
        Auth-Type LDAP {
            ldap
        }
        eap
    }
    preacct {
        preprocess
        acct_unique
        suffix
        files
    }
    accounting {
        detail
        unix
        -sql
        exec
        attr_filter.accounting_response
    }
    session {
    }
    post-auth {
        if (Google-Password) {
            update request {
                pam
            }
        }
        else {
            update reply {
                &Google-Password = "%{Google-Password}"
            }
        }
        update {
            &reply: += &session-state:
        }
        -sql
        exec
        remove_reply_message_if_eap
        Post-Auth-Type REJECT {
            -sql
            attr_filter.access_reject
            eap
            remove_reply_message_if_eap
        }
        Post-Auth-Type Challenge {
        }
    }
    pre-proxy {
    }
    post-proxy {
        eap
    }
}

/etc/raddb/clients.conf

client CISCO_ISE {
        ipaddr = 1.1.1.2
        proto = *
        secret = testing123
        require_message_authenticator = no
        nas_type         = other
        limit {
                max_connections = 16
                lifetime = 0
                idle_timeout = 30
        }
}

/etc/raddb/mods-config/files/authorize

DEFAULT Framed-Protocol == PPP
    Framed-Protocol = PPP,
    Framed-Compression = Van-Jacobson-TCP-IP

DEFAULT Hint == "CSLIP"
    Framed-Protocol = SLIP,
    Framed-Compression = Van-Jacobson-TCP-IP

DEFAULT Hint == "SLIP"
    Framed-Protocol = SLIP

/etc/pam.d/radiusd

auth            requisite       pam_google_authenticator.so forward_pass

With this configuration FreeRadius server asks for username and password but after ad authentication server doesn't ask for one time password

Solution

  • Solved the issue. For those who is configuring exact settings you need to use state attribute same thing as session or cookie. If request has state attribute then change authentication method to PAM which will check the token. Else if request doesn't have state attribute then it's first time request which you need to authenticate via Active Directory