Getting 2FA setup in View can be a hard requirement with many organisations opting to use the tried and tested RSA SercureID suite. However, with budgets tightening more and more, many of the paid for solutions can end up chewing up a large chunk of your financials.
But is doesn’t have to… the folks over at Google have created their over own authenticator, called Google Authenticator. That combined with PAM and FreeRadius will give us a good alternative (IMHO).
I’ve broken the below into sections. Prepping the OS, Configuring Radius, Joining the Domain, and OS security bits. All sections need to be completed.
NOTE: Before you copy and paste this into any production environment I strongly recommend you do your research into PAM, Firewalls, and FreeRadius
To begin we’ll need:
- Clean install of CentOS 7.X with a fully resolvable name.
- DNS configured (correctly)
- The Google Authenticator app installed on your phone.
Prepping the OS
- Update the OS
- yum -y update
- yum -y install epel-release
- yum -y install freeradius freeradius-utils google-authenticator bind-utils realmd sssd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools ntpdate ntp libvirt-client open-vm-tools rsync
- Enable NTP:
- Edit ntp.conf and add your own NTP servers (you can replace *.centos.pool.ntp.org as required, or not).
- systemctl enable ntpd
- systemctl start ntpd
Configuring Radius
- Edit Radius. The below is a bit of a work around, I would recommend using a dedicated radius account.
- vi /etc/raddb/radiusd.conf
- Hash out “user = radiusd” and “group = radiusd”
- Under the above add in “user = root” And “group = root”
- Set Pam as an authentication model
- vi /etc/raddb/sites-enabled/default
- Remove the # infront of pam
- Link the pam module to the enabled folder
- ln -s /etc/raddb/mods-available/pam /etc/raddb/mods-enabled/pam
- chown -h root:radiusd /etc/raddb/mods-enabled/pam
- Add as many Client as needed. These will be the different clients (servers) that need access to the 2FA. The following need to added above localhost client section. In this example I’m adding the lab connection server.
- vi /etc/raddb/clients.conf
- client <connection01> {
ipaddr = X.X.X.X
secret = Secret
require_message_authenticator = no
}
- Change the default auth type in freeradius to PAM
- vi /etc/raddb/users
- Add DEFAULT Auth-Type := PAM right below
- DEFAULT Group == “disabled”, Auth-Type := Reject
- Reply-Message = “Your account has been disabled.
Joining the Domain.
- Join the domain (watch out for funky characters).
- echo ‘<password>’ | realm join –user=<user>@<domain> <domain>
- Example echo ‘password123’ | realm join –user=cmaritz@port115.com port115.com
- echo ‘<password>’ | realm join –user=<user>@<domain> <domain>
- Test the domain join
- realm list. This will give you an output with the details of the Domain relationship.
- realm list. This will give you an output with the details of the Domain relationship.
OS Security Bits.
- Set the firewall settings
- firewall-cmd –list-service –zone=public
- firewall-cmd –permanent –zone=public –add-service=radius
- firewall-cmd –reload
- firewall-cmd –list-service –zone=public
- Edit PAM to check the google authenticator and AD
- vi /etc/pam.d/radiusd
- Hash out all the lines and add
- auth required pam_google_authenticator.so forward_pass
- account required pam_permit.so
- account required pam_sss.so audit
Generating the key.
- Switch to the AD user that needs a key
- su – <user>@<domain.com>.
- type in google-authenticator and hit enter.
- When prompted: Do you want authentication tokens to be time-based (y/n), type y and hit enter.
- When the QR code pops up, open the Google Authenticator app on your phone, and scan it. This will create a new authenticator entry in the app with a 6 digit number on you phone that changes every 30 seconds.
- Back to the bash window. When asked to update your .google_authenticator file type y and hit enter.
- Type y to disallow multiple users of the same token and hit enter.
- Depending on your security requirement, you may or may not want to allow for time skew. If you do, the authenticator PAM module will accept the token before and after the current one. If you choose n, make sure your NTP settings are working well.
- When asked if you want to enable rate limiting, type y and hit enter (This is good practice, you don’t want to have somebody trying to brute force your key.)
Part 2 will look at getting Pointing your UAG (or Connection Broker) at the radius server and a couple of trouble shooting tips.
I had to use the following to join to domain
echo ‘password’ | join -U user domain.com
Great post – thank you
I had to disable Selinux in order to make it work (otherwise it doesn’t allow to read /home/%u/.google_authenticator), plus in OS Security bits – PAM part I had to add smtg. like this:
auth requisite pam_google_authenticator.so forward_pass
auth requisite pam_sss.so use_first_pass
…
The line for sss is to make PAM actually check AD password, I suddenly discovered that without it radiusd allowed me to login with wrong AD password, it checked only TOTP.
If you can protect horizon view with google authenticator, then you could also use the seed data in a programmable hardware token as a physical alternative to having to use a mobile phone (battery issue, signal etc).