FreeRADIUS two-factor authentication
Two-factor authentication is a common authentication requirement. How do you configure two-factor authentication in freeradius? We present the configuration method in FreeRADIUS with the user password authentication in the ldap directory server and the OTP Code authentication in the OTP server to form a two-factor.
RADIUS defines an interactive protocol for multi-step authentication
1. Access-Request First Authentication
2. Access-Challenge First authentication passed, further authentication requested
3. Access-Request Second Authentication
4. Access-Accept passes the second time
Based on this we define the 2FA process as follows.
The client initiates the first access authentication request Access-Request, taking the username and password with it.
The server side does the authentication via the LDAP module; if it passes, it returns the Access-Challenge with the session tracking status code State.
The client initiates a second Access-Request, bringing the username and OTP Code and the session status code State returned from the first time.
The server side checks the State and does the validation via the OTP module; if it passes, it returns Access-Accept.
An error in any of the above steps or a failed validation returns the Access-Reject.
According to the above procedure, we configure the freeradius server side accordingly.
/etc/raddb/sites-available/default
authorize {
if (!State) {
if (&User-Password) {
update control {
Auth-Type := ldap
}
else {
reject
}
}
else {
# TODO: Check State.
update control {
# OTP Auth, python script based.
Auth-Type := otp_auth
}
}
}
authenticate {
Auth-Type ldap {
# ldap authentication
ldap
if (ok) {
update reply {
State := "%"
Reply-Message := "Please enter OTP"
}
update control {
Response-Packet-Type := Access-Challenge
}
}
}
Auth-Type otp_auth {
otp_auth
}
}
Configuration of the ldap module
/etc/raddb/modules-available/ldap:
ldap {
server = ' IP of openldap Server'
# Other User binding settings.
}
Configuration of the otp_auth module. The default installation does not have the otp_auth module. We need to develop such a module ourselves; or use a perl or python module to implement the appropriate functionality.
Documentation for the perl module
http://networkradius.com/doc/current/raddb/mods-available/perl.html
The key configuration is to point to the perl module we are developing
/etc/raddb/modules-available/perl
perl {
module =
}
Documentation for python modules
https://wiki.freeradius.org/modules/Rlm_python
In addition, those familiar with Apache or Nginx will find that the configuration structure of FreeRADIUS is similar to them. The expressiveness provided by FreeRADIUS for the request processing is based on unlang. unlang is compatible with its configuration syntax and further provides the ability to handle simple logic. The reference documentation for unlang is at
networkradius.com/doc/current/unlang/home.html
Additional references.
wiki.freeradius.org/config/Configuration-files
wiki.freeradius.org/config/Virtual-server
wiki.freeradius.org/config/Sites-configuration
wiki.freeradius.org/guide/2FA-Active-Directory-plus-Proxy
wiki.freeradius.org/contributing/Modules3
networkradius.com/doc/current/index.html
networkradius.com/doc/current/unlang/home.html
Recommended>>
1、The first declaration of the little programmer
2、The largest intelligent grain drying center in China put into operation in the three summers
3、Are the days of lottery counterfeiting over The blockchain lottery is coming out of the woodwork
4、How much do you know about cybersecurity in the HSS system for National Cybersecurity Week 2018
5、How to choose the right US server for you