11 April,19 at 11:50 AM
Background
Many organizations have invested in multi-factor authentication solutions that work with the Remote Authentication Dial In User Service (RADIUS) protocol and they would like to re-use their investments with Centrify Identity Service and Centrify Privilege Service.
Earlier this year, as part of the MFA Everywhere initiative, Centrify added RADIUS server capabilities to the Identity Platform to provide MFA services to services that could act as RADIUS clients (e.g. VPN Gateways, etc.).
With the 16.8 monthly release, Centrify is adding the ability for the Identity Platform to act as a RADIUS client. This will open the opportunity for CIS and CPS users to have authentication profiles for MFA products that support RADIUS (e.g. RSA, Symantec, CA, Vasco, etc).
This lab will allow you to set up a Linux server to act as your AD-integrated OTP+RADIUS server. Then we'll configure CIS/CPS to act as a RADIUS client and support it as an additional MFA option.
Disclaimers
Lab Design
The proposed lab looks as follows:
As you can see, we're using the following components:
Implementation
In this lab we will not cover the setup of an identity service instance and cloud connector. Some resources:
What you'll need:
This lab starts assuming that you can log in to your Identity Service or Privilege Service instance with a user with the System Administrator right.
RADIUS+OTP Server Setup
Configuration Overview
Adding the EPEL repo for Centos 6.x
$ wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm $ sudo yum install epel-release-latest-6.noarch.rpm -y [truncated] Installed: epel-release.noarch 0:6-8
Installing Google Authenticator
$ sudo yum install google-authenticator -y [truncated] Installed: google-authenticator.x86_64 0:0-0.3.20110830.hgd525a9bab875.el6
Install FreeRADIUS and Tools
$ sudo yum install freeradius freeradius-utils -y [truncated] Installed: freeradius.x86_64 0:2.2.6-6.el6_7 freeradius-utils.x86_64 0:2.2.6-6.el6_7 Dependency Installed: perl-DBI.x86_64 0:1.609-4.el6
Configuring FreeRADIUS for PAM
a) User and Group for the Radius Daemon
To allow the radiusd daemon to traverse the filesystem to read the Google Authenticator config files on each user's home directory, you have to change the user/group in the configuration file. This may be undesirable in a production environment.
Edit the /etc/raddb/radiusd.conf file and find:
user = radiusd group = radiusd
Change to
user = root group = root
and save the file.
b) Enable PAM for the Default Site
Edit the /etc/raddb/sites-enabled/default file and find:
# Pluggable Authentication Modules. # pam
uncomment the PAM module and save.
pam
c) Configure Users for PAM
Edit the /etc/raddb/users file and find
#DEFAULT Group == "disabled", Auth-Type := Reject # Reply-Message = "Your account has been disabled."
uncomment and add the line as follows:
DEFAULT Group == "disabled", Auth-Type := Reject Reply-Message = "Your account has been disabled." DEFAULT Auth-Type := PAM
Tip: To check your work so far
$ sudo radiusd -X [truncated] Ready to process requests.If there are any issues with the current configuration, you can verify it with the output.
$ sudo useradd testing $ sudo passwd testing New password: BAD PASSWORD: it is based on a dictionary word Retype new password: passwd: all authentication tokens updated successfully.Now you have a user to test your RADIUS server via PAM.
radtest testing Mysecret123! localhost 0 testing123 Sending Access-Request of id 204 to 127.0.0.1 port 1812 User-Name = "testing" User-Password = "Secret123!" NAS-IP-Address = 192.168.81.34 NAS-Port = 0 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=204, length=20On the first window, you'll see the verbose output somewhat like this:
rad_recv: Access-Request packet from host 127.0.0.1 port 53367, id=204, length=77 User-Name = "testing" User-Password = "Mysecret123!" NAS-IP-Address = 192.168.81.34 NAS-Port = 0 Message-Authenticator = 0x8c11ad4b5c1dbd597764716d95d3d9e3 # Executing section authorize from file /etc/raddb/sites-enabled/default [truncated] Sending Access-Accept of id 204 to 127.0.0.1 port 53367This verifies that things are set up correctly so far. Cancel radiusd debug (CTRL+C)
Install Centrify DirectControl and Join AD
We'll use the Centrify Repo and join AD in Workstation mode.
$ sudo yum install CentrifyDC -y [truncated] Installed: CentrifyDC.x86_64 0:5.3.1-398 $ sudo adjoin -w -u [user.name] domain.name user.name@DOMAIN.NAME's password: Using domain controller: dc.centrify.vms writable=true Join to domain:centrify.vms, zone:Auto Zone successful Centrify DirectControl started.
At this point, if you want another sanity check, you can repeat the same debugging but with an AD user credential.
Configure the Radius PAM directives for Google Authenticator
Edit the /etc/pam.d/radiusd perform two modifications.
Add this line on the top of the file auth required pam_google_authenticator.so and comment the auth module.
Here what we'll achieve is to provide the Google Authenticator code as our one-time password via RADIUS. Other combinations of PAM modules can achieve a Password+Code.
The final result should look like this:
#%PAM-1.0 auth required pam_google_authenticator.so #auth include password-auth account required pam_nologin.so account include password-auth password include password-auth session include password-auth
This configuration challenges for the OTP code only and ignores the password.
Enroll an AD user with Google Authenticator
Last login: Thu Aug 4 06:22:50 2016 from 192.168.81.11 $ google-authenticator https://www.google.com/[truncated] Your new secret key is: ETIQLTKPBQV4TVLH Your verification code is 2647620 Your emergency scratch codes are: 08703664 [truncated]Follow the prompts until you complete setup.
Verify RADIUS functionality with OTP
You have verified functionality.
Set up the Cloud Connector as a RADIUS Client
On the FreeRADIUS Server you have to set up the connector as a client.
client [your-client-name] { secret = [Insert Complex String Here] shortname = [Friendly Name] }Notes:
Note: In some Linux systems/versions you may need to set SELinux to permissive. This is to allow radiusd to interact with PAM.
Centrify Identity Service or Privilege Service Setup
Overview
To configure the RADIUS Server
Go to Cloud Manager > Settings > Authentication > Radius Connections > Servers Tab and press Add
Name: A descriptive name (e.g. SecurID PIN+Code)
Description: Optional
Server IP Address: The IP address of your server
Port: Change if not default (1812)
Server Secret: Must match the secret you set up in the previous step.
Configuring a Connector for RADIUS
You need at least one connector enabled for RADIUS that can reach the RADIUS server.
Go to Cloud Manager > Settings > Network > Cloud Connectors > [connector] > RADIUS > and Check
"Enable connections to external RADIUS servers"
Also make sure that the RADIUS Client service is enabled.
Enable RADIUS in your User Authentication Policy
Go to Cloud Manager > Policies > [click on the policy that applies to the user(s)] > Expand User Security Policies and Click RADIUS. Set "Allow 3rd Party RADIUS" to Yes and Save.
Enable 3rd Party RADIUS in any corresponding Authentication Profiles
Cloud Manager > Settings> Authentication Profiles > [click profile that you want to enable] and check
"3rd Party RADIUS Authentication" and press OK. Repeat with other profiles if needed.
Verify Functionality
Tidy-up: Set up the Radius Service for Automatic Startup
$ sudo chkconfig radiusd on $ sudo service radiusd start
CIS/CPS Setup Video