FreeRADIUS with Google Authenticator
Informational
FreeRADIUS
First - Enable root account (Required for Google Authenticator)
#sudo passwd root
#sudo passwd -u root
Install Prerequisites
#apt-get update
#apt-get install autotools-dev
#apt-get install autoconf
#apt-get install libtool
#apt-get install ntp
#apt-get install build-essential libpam0g-dev freeradius git libqrencode3
Install the Google Authenticator libpam
#git clone https://github.com/google/google-authenticator-libpam.git
#cd google-authenticator/libpam/
#./bootstrap.sh
#./configure
#make
#make install
Configure FreeRADIUS
Edit /etc/freeradius/radius.conf changing the user and group from freerad to root
# for some finer-grained access controls.
#
user = root
group = root
# panic_action: Command to execute if the server dies unexpectedly.
#
Create a group called radius-disabled, then if you need to deny a user access, you can simply make them a member of this group.
#addgroup radius-disabled
Edit /etc/freeradius/users to reject members of that group and also create a default authentication type of PAM
DEFAULT Group == "radius-disabled", Auth-Type := Reject
Reply-Message = "Your account has been disabled."
DEFAULT Auth-Type := PAM
Enable PAM in /etc/freeradius/sites-enabled/default. Locate the line with ‘pam’ and uncomment it:
#
# Pluggable Authentication Modules.
pam
#
Configure FreeRADIUS to use Google Authenticator. Edit /etc/pam.d/radius
#
# /etc/pam.d/radiusd - PAM configuration for FreeRADIUS
#
# We fall back to the system default in /etc/pam.d/common-*
#
#@include common-auth
#@include common-account
#@include common-password
#@include common-session
auth required /usr/local/lib/security/pam_google_authenticator.so
Test Google Authenticator and FreeRADIUS. Create a test user in linux.
#adduser test
ENTER AND CONFIRM PASSWORD
#su test
ENTER THE PASSWORD
%google-authenticator
Do you want authentication tokens to be time-based (y/n) y
Your new secret key is: XQH7L6A7W6OK3JYS
Your verification code is 158428
Your emergency scratch codes are:
60469537
95985887
80580778
52386153
52951956
Do you want me to update your "/home/test/.google_authenticator" file (y/n) y
Do you want to disallow multiple uses of the same authentication
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n) y
By default, tokens are good for 30 seconds and in order to compensate for
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n) n
If the computer that you are logging into isn't hardened against brute-force
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n) y
Test your Configuration
service freeradius restart
You will want to use a command called "radtest" to test your configuration.
radtest localhost 18120 testing123
testing123 is a default secret for the localhost client, used for testing purposes. You can find this in /etc/freeradius/clients.conf
radtest test 123456 localhost 18120 testing123
If it works right, you should get something like this:
# radtest test 123456 localhost 18120 testing123
Sending Access-Request of id 154 to 127.0.0.1 port 1812
User-Name = "test"
User-Password = "123456"
NAS-IP-Address = 127.0.1.1
NAS-Port = 18120
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=154, length=20
Debugging
You can stop freeradius and start it up in debugging mode like this:
service freeradius stop
freeradius -XXX