我一直在尝试让 VPN 用户使用 2FA(Google 身份验证器)进行身份验证。目前我有 Cisco ISE、FreeRadius 服务器、Active Directory。我想要实现的是,当用户连接到 VPN(思科 ISE)时,服务器会从 Radius 服务器请求用户,然后 Radius 服务器从 Active Directory 验证用户身份。如果用户身份验证成功,FreeRadius 服务器必须向用户请求 OTP。我的配置是: /etc/raddb/sites-enabled/default
server default {
listen {
type = auth
ipaddr = 1.1.1.1
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
ipaddr = *
port = 0
type = acct
}
authorize {
filter_username
preprocess
chap
mschap
digest
suffix
eap {
ok = return
}
files
-sql
ldap
if ((ok || updated) && User-Password && !control:Auth-Type){
update {
control:Auth-Type := ldap
}
}
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
mschap
digest
Auth-Type LDAP {
ldap
}
eap
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
-sql
exec
attr_filter.accounting_response
}
session {
}
post-auth {
if (Google-Password) {
update request {
pam
}
}
else {
update reply {
&Google-Password = "%{Google-Password}"
}
}
update {
&reply: += &session-state:
}
-sql
exec
remove_reply_message_if_eap
Post-Auth-Type REJECT {
-sql
attr_filter.access_reject
eap
remove_reply_message_if_eap
}
Post-Auth-Type Challenge {
}
}
pre-proxy {
}
post-proxy {
eap
}
}
/etc/raddb/clients.conf
client CISCO_ISE {
ipaddr = 1.1.1.2
proto = *
secret = testing123
require_message_authenticator = no
nas_type = other
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
/etc/raddb/mods-config/files/authorize
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP
/etc/pam.d/radiusd
auth requisite pam_google_authenticator.so forward_pass
使用此配置,FreeRadius 服务器会要求输入用户名和密码,但广告身份验证服务器不会要求一次性密码
问题解决了。对于那些配置精确设置的人,您需要使用
state attributestate attributestate attributeActive Directory您有什么想法在 freeradius 中启用 google auth 来登录 cisco 交换机吗?我已经完成了身份验证部分,但是 2fa 失败了。