2.5F Authentication

  • Tutorial
Hi Hi! Congratulations to all those involved on the day of Ibeshnik )

I want to share my experience in setting up 2.5 factor authentication of remote users. Why 2.5, I think, you will understand from the content, if you consider the model "1. What do I know. 2. What I have. 3. Who I am "reference. If interested, please!

I tried to draw something on the diagram:



Briefly: the remote user has eToken (Alladin), an account in Active Directory that is part of a specific group, and a one-time password from the Google Authenticator mobile application. He needs to successfully connect to some service.

There is an article on Habré in which the main moments on setup of CISCO ASA, AnyConnect, Google Auth and Freeradius are described. I don’t see any sense in duplicating, everything is practically the same, except for the following.

I recommend installing the RADIUS server utilities for testing with the radtest command and radiusd -X debug

yum install freeradius freeradius-utils

From the experience of the errors that appeared, it would be more convenient for me to configure in the following order:

  1. RADIUS
  2. Google
  3. Sssd
  4. PAM
  5. CISCO

But as usual, not everything is so simple and in order. On github, the Google components we need are here: “ The pluggable authentication module (PAM) is in a separate project. »During installation, various kinds of errors may occur, here you need to read and reinstall, if necessary, developer tools and libraries (gcc, libqrencode, etc.).

Now, what did not work out (maybe it did, but he decided not to write about it) from the author of the article cited above.

To use accounts from AD, you must install SSSD and components.

yum install sssd realmd adcli

Next, add the RADIUS server to the domain:

realm join ваш_домен

We allow access to users from a predefined group in AD:

realm permit -g ваша_группа_из_AD

At this stage, there may be a problem with the domain name (.ru, .net, .test, etc.) Level 1 records may not be determined, so your domain name may be incomplete, this will affect the authentication process and the configuration of the RADIUS server.

In my case, it looked like username @ domain, where domain is only a level 2 name. What can it bring to? You simply cannot authenticate successfully unless you comment out the following lines in /etc/raddb/policy.d/filter

#	if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))  {#		update reply {#Reply-Message += "Rejected: Realm does not have at least one dot separator"#		}#		reject#	}

Otherwise, the data you entered will be filtered out as erroneous. In order to create a Google Authenticator domain user, do the following:

su – domain_user@domain
google-authenticator

This user must be a member of the group that we indicated above with the realm permit command .

At this stage, problems also arise, security mechanisms will not allow creating a home directory for a new user. This directory is required for the ~ google-authenticator file , which contains information with verification codes and a key for each user.

To fix this, you need to transfer the SELinux component to permissive mode:

setenforce permissive

Next, go to /etc/pam.d/radiusd and write the following config:

#%PAM-1.0
auth       requisite    pam_google_authenticator.so forward_pass
auth       required     pam_sss.so use_first_pass
account    required     pam_nologin.so
account    include      password-auth
session    include      password-auth

Do not forget about NTP and synchronize the time, otherwise one-time passwords will not work, and in the file / var / log / secure there will be a message “invalid code”.

When everything is ready, you can test:

  1. After starting AnyConnect, the eToken PKI Client window will appear.
  2. Choose your certificate. Enter the password for the container - 1 factor
  3. Next, enter the credentials of the AD user (login + password) - 2 factor
  4. Add the code from the application on the phone to the password (without spaces) - 0.5 factor

2.5 factor authentication is ready. If I forgot something and you did not start, write in the comments, I will try to help)

Also popular now: