Background Many organizations have invested in multi-factor authentication solutions that work with the Remote Authentication Dial In User Service (RADIUS) protocol and they would like to re-use th...
Many organizations have invested in multi-factor authentication solutions that work with the Remote Authentication Dial In User Service (RADIUS) protocol and they would like to re-use their investments with Centrify Identity Service and Centrify Privilege Service.
Earlier this year, as part of the MFA Everywhere initiative, Centrify added RADIUS server capabilities to the Identity Platform to provide MFA services to services that could act as RADIUS clients (e.g. VPN Gateways, etc.).
With the 16.8 monthly release, Centrify is adding the ability for the Identity Platform to act as a RADIUS client. This will open the opportunity for CIS and CPS users to have authentication profiles for MFA products that support RADIUS (e.g. RSA, Symantec, CA, Vasco, etc).
This lab will allow you to set up a Linux server to act as your AD-integrated OTP+RADIUS server. Then we'll configure CIS/CPS to act as a RADIUS client and support it as an additional MFA option.
This is a lab entry. Production designs require planning for people, process and technology.
RSA SecurID, Symantec VIP, Vasco, YubiKey, Google Authenticator, FreeRADIUS and CentOS are registered trademarks of their respective owners.
The proposed lab looks as follows:
As you can see, we're using the following components:
Identity Service or Privilege Service (can be the on-premises version of CPS too)
Cloud connector: enabled for AD Bridging and RADIUS client
Centos 6.x System: this system acts as
RADIUS Server > FreeRADIUS configured for PAM
Google Authenticator PAM Module > will provide OTP codes for enrolled users
Centrify DirectControl > Provides AD integration and NSS/PAM based identification/authentication
Active Directory: Provides infrastructure identity services (directory, authentication, policy)
In this lab we will not cover the setup of an identity service instance and cloud connector. Some resources:
To allow the radiusd daemon to traverse the filesystem to read the Google Authenticator config files on each user's home directory, you have to change the user/group in the configuration file. This may be undesirable in a production environment.
Edit the /etc/raddb/radiusd.conf file and find:
user = radiusd
group = radiusd
user = root
group = root
and save the file.
b) Enable PAM for the Default Site
Edit the /etc/raddb/sites-enabled/default file and find:
# Pluggable Authentication Modules.
uncomment the PAM module and save.
c) Configure Users for PAM
Edit the /etc/raddb/users file and find
#DEFAULT Group == "disabled", Auth-Type := Reject
# Reply-Message = "Your account has been disabled."
uncomment and add the line as follows:
DEFAULT Group == "disabled", Auth-Type := Reject
Reply-Message = "Your account has been disabled."
DEFAULT Auth-Type := PAM
Tip: To check your work so far
In one session window, run the radius daemon in verbose mode
$ sudo radiusd -X
Ready to process requests.
If there are any issues with the current configuration, you can verify it with the output.
Open another session and create a new user
$ sudo useradd testing
$ sudo passwd testing
BAD PASSWORD: it is based on a dictionary word
Retype new password:
passwd: all authentication tokens updated successfully.
Now you have a user to test your RADIUS server via PAM.
In that same session, use the radtest utility with the client set for the localhost client.
radtest testing Mysecret123! localhost 0 testing123 Sending Access-Request of id 204 to 127.0.0.1 port 1812
User-Name = "testing"
User-Password = "Secret123!"
NAS-IP-Address = 192.168.81.34
NAS-Port = 0
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=204, length=20
On the first window, you'll see the verbose output somewhat like this:
rad_recv: Access-Request packet from host 127.0.0.1 port 53367, id=204, length=77
User-Name = "testing"
User-Password = "Mysecret123!"
NAS-IP-Address = 192.168.81.34
NAS-Port = 0
Message-Authenticator = 0x8c11ad4b5c1dbd597764716d95d3d9e3
# Executing section authorize from file /etc/raddb/sites-enabled/default
Sending Access-Accept of id 204 to 127.0.0.1 port 53367
This verifies that things are set up correctly so far. Cancel radiusd debug (CTRL+C)
Install Centrify DirectControl and Join AD
We'll use the Centrify Repo and join AD in Workstation mode.
At this point, if you want another sanity check, you can repeat the same debugging but with an AD user credential.
Configure the Radius PAM directives for Google Authenticator
Edit the /etc/pam.d/radiusd perform two modifications.
Add this line on the top of the file auth required pam_google_authenticator.so and comment the auth module. Here what we'll achieve is to provide the Google Authenticator code as our one-time password via RADIUS. Other combinations of PAM modules can achieve a Password+Code. The final result should look like this:
auth required pam_google_authenticator.so
#auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
session include password-auth
This configuration challenges for the OTP code only and ignores the password.
Enroll an AD user with Google Authenticator
Log in with a test AD user to your Linux system
Run the google authenticator setup (google-authenticator)
Last login: Thu Aug 4 06:22:50 2016 from 192.168.81.11
Your new secret key is: ETIQLTKPBQV4TVLH
Your verification code is 2647620
Your emergency scratch codes are:
Follow the prompts until you complete setup.
Paste the URL in a web browser and use your Authenticator QR Capture function to capture the code. Alternatively you can add the code manually.
Repeat this process for all your test users.
Verify RADIUS functionality with OTP
In a session, open Radiusd in verbose mode. [sudo radiusd -X]
In another browser, test the authentication with the code from the OATH OTP authenticator. radtest [username] [oath otp code] localhost 0 [pharaphrase] In my environment it looks like this:
You have verified functionality.
Set up the Cloud Connector as a RADIUS Client
On the FreeRADIUS Server you have to set up the connector as a client.
If you haven't done so, close the radiusd debugger.
Edit the following file /etc/raddb/clients.conf go to the end and add: