2.5F Authentication
Hi Hi! Congratulations to all those involved in the day of IBeshnik )
I want to share my experience in setting up 2.5 factorial authentication of remote users. Why 2.5, I think, you will understand from the content, if you count the model “1. What do I know. 2. What I have. 3. Who is the "reference." If interested, please!
What should be done tried to draw on the scheme:
')
In short: a remote user has eToken (Alladin), Active Directory accounting in a specific group and a one-time password from the Google Authenticator mobile application. He needs to successfully connect to some service.
On Habré there is an article that describes the main points on how to configure CISCO ASA, AnyConnect, Google Auth and Freeradius. Duplicate the meaning I do not see, it's almost the same, except for the following.
I recommend installing the RADIUS server utilities for testing with the radtest command and the radiusd -X debug
From the experience of emerging errors, it would be more convenient for me to tune in the following order:
But as usual, not everything is so simple and in order. On github, the Google components we need are here “ The pluggable authentication module (PAM) is in a separate project. "During the installation, various kinds of errors can occur, here it is necessary to read and install, if you need developer tools and libraries (gcc, libqrencode, etc.).
Now, that did not work out (maybe it did, but he decided not to write about it) with the author of the article cited above.
To be able to use accounts from AD, you must install SSSD and components.
Next, add the RADIUS server to the domain:
We allow access to users from a predefined group in AD:
At this stage there may be a problem with the domain name (.ru, .net, .test, etc.) Level 1 entries may not be determined, respectively, your domain name may be incomplete, this will affect the authentication process and the configuration of the RADIUS server.
In my case, it looked like username @ domain, where domain is only the name of level 2. What can it bring? You simply cannot successfully authenticate if you do not comment out the following lines in the /etc/raddb/policy.d/filter file
Otherwise, the data you entered will be filtered as erroneous. In order to create a Google Authenticator domain user, do the following:
This user must be a member of the group we specified above with the realm permit command.
At this stage, too, there are problems, security mechanisms will not allow to create a home directory for the new user. This directory is required for the ~ google-authenticator file, which contains information with verification codes and a key for each user.
To fix this you need to transfer the SELinux component to the permissive mode:
Next you need to go to /etc/pam.d/radiusd and write down the following config:
Do not forget about NTP and synchronize the time, otherwise one-time passwords will not work, and in the file / var / log / secure will be the message "invalid code"
When everything is ready you can test:
2.5 factor authentication is ready. If I have forgotten something and you did not start, write in the comments, I will try to help)
I want to share my experience in setting up 2.5 factorial authentication of remote users. Why 2.5, I think, you will understand from the content, if you count the model “1. What do I know. 2. What I have. 3. Who is the "reference." If interested, please!
What should be done tried to draw on the scheme:
')
In short: a remote user has eToken (Alladin), Active Directory accounting in a specific group and a one-time password from the Google Authenticator mobile application. He needs to successfully connect to some service.
On Habré there is an article that describes the main points on how to configure CISCO ASA, AnyConnect, Google Auth and Freeradius. Duplicate the meaning I do not see, it's almost the same, except for the following.
I recommend installing the RADIUS server utilities for testing with the radtest command and the radiusd -X debug
yum install freeradius freeradius-utils From the experience of emerging errors, it would be more convenient for me to tune in the following order:
- RADIUS
- Sssd
- Pam
- CISCO
But as usual, not everything is so simple and in order. On github, the Google components we need are here “ The pluggable authentication module (PAM) is in a separate project. "During the installation, various kinds of errors can occur, here it is necessary to read and install, if you need developer tools and libraries (gcc, libqrencode, etc.).
Now, that did not work out (maybe it did, but he decided not to write about it) with the author of the article cited above.
To be able to use accounts from AD, you must install SSSD and components.
yum install sssd realmd adcli
Next, add the RADIUS server to the domain:
realm join _
We allow access to users from a predefined group in AD:
realm permit -g ___AD
At this stage there may be a problem with the domain name (.ru, .net, .test, etc.) Level 1 entries may not be determined, respectively, your domain name may be incomplete, this will affect the authentication process and the configuration of the RADIUS server.
In my case, it looked like username @ domain, where domain is only the name of level 2. What can it bring? You simply cannot successfully authenticate if you do not comment out the following lines in the /etc/raddb/policy.d/filter file
# if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) { # update reply { #Reply-Message += "Rejected: Realm does not have at least one dot separator" # } # reject # }
Otherwise, the data you entered will be filtered as erroneous. In order to create a Google Authenticator domain user, do the following:
su – domain_user@domain google-authenticator
This user must be a member of the group we specified above with the realm permit command.
At this stage, too, there are problems, security mechanisms will not allow to create a home directory for the new user. This directory is required for the ~ google-authenticator file, which contains information with verification codes and a key for each user.
To fix this you need to transfer the SELinux component to the permissive mode:
setenforce permissive
Next you need to go to /etc/pam.d/radiusd and write down the following config:
#%PAM-1.0 auth requisite pam_google_authenticator.so forward_pass auth required pam_sss.so use_first_pass account required pam_nologin.so account include password-auth session include password-auth
Do not forget about NTP and synchronize the time, otherwise one-time passwords will not work, and in the file / var / log / secure will be the message "invalid code"
When everything is ready you can test:
- After starting AnyConnect, the eToken PKI Client window will appear.
- Choose your certificate. Enter the password from the container - 1 factor
- Next, enter the credentials of the AD user (login + password) - factor 2
- Add to the password the code from the application on the phone (without spaces) - 0.5 factor
2.5 factor authentication is ready. If I have forgotten something and you did not start, write in the comments, I will try to help)
Source: https://habr.com/ru/post/316546/
All Articles