FreeRADIUS with Two Factor Authentication (Google Authenticator)
Goal: Setup FreeRADIUS server that uses Google two factor authentication + LDAP (CentOS 7 based) My specific use case was to setup a Cisco AnyConnect VPN and authenticate against a RADIUS server. I needed to have strong two factor authentication and easy group administration of users belonging to specific VPN group profiles. It is easy enough to point a Cisco ASA to a RADIUS server, and tying in Google Authenticator via PAM is straightforward, but things quickly become more complicated if you need to manage more than one VPN profile that is backed by different LDAP groups. Consider the following situation: 1. You need two VPN profiles, one for Sales and one for Engineering 2. You need to verify that users logging in belong to the correct LDAP group Let's examine how FreeRADIUS integrates with PAM, and how PAM in turn interacts with LDAP: Install the google authenticator PAM module cd ~ git clone https: // code.google. com /p/ google - authenticator/ cd googl...