Enabling RADIUS authentication with rlm_linotp2
1,584 views
Skip to first unread message
asame dgrname
Oct 31, 2014, 6:05:44 PM10/31/14
to lin...@googlegroups.com
Hello,
I installed LinOTP on Ubuntu x64 (and after that on Centos x32, same problem on both systems),
first I installed LinOTP server and everything is working, server is running and I add my MS Active Directory as Useridresolver and Realm, enabled AuditTrail, can assign tokens and etc.. I want to authenticate AD users via vpn from Cisco ASA. Everithing is ok but I cannot configure the second step correctly but I've configured it exactly as in LinOTP Documentation: http://linotp.org/doc/2.6/part-installation/auth-modules/index.html#enabling-radius-authentication-with-rlm-linotp2
second step was installing freeradius with rlm_linotp2 module:
- I downloaded FreeRADIUS 2.1.8 (I testet also other newer versions, with no success).
- downloaded LinOTP Source Code (git clone https://github.com/linotp/linotp.git)
- Installed gcc, make, libtool, openssl-devel, libcurl-dev..
- Unpacked the FreeRADIUS source.
- copied rlm_linotp2 folder (auth_modules/freeradius/src/rlm_linotp2) to modules folder of FreeRADIUS (freeradius-server-2.1.8/src/modules/)
- added rlm_linotp2 to the file src/modules/stable
- ./configure && make && make install
- checked for the shared library files and they were created in /usr/local/lib/ (rlm_linotp2-2.1.8.so, rlm_linotp2.so).
- and also copied linotp2.conf file to my installed FreeRADIUS config files folder. (usr/local/etc/raddb/)
- started radius with command radiusd -X
and I checked all freeradius conf files and there no one word about linotp, I do everything by documentation but no result.
when I try to authenticate user from CISCO ASA Radius Client the FreeRADIUS show this log:
rad_recv: Access-Request packet from host 1.1.1.33 port 46102, id=74, length=63
User-Name = "User1"
User-Password = "Passw0rd1"
NAS-IP-Address = 1.1.1.33
NAS-Port = 50
NAS-Port-Type = Virtual
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "User1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> User1
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 74 to 1.1.1.33 port 46102
Waking up in 4.9 seconds.
Cleaning up request 0 ID 74 with timestamp +20
Ready to process requests.
FreeRadius does not know about linotp.
I found this article to use perl module for radius to talk with linotp server
but cannot understand how to configure.
Please Help me if you know how to enable FreeRADIUS to talk linotp server.
Thanks
d0c.f...@gmail.com
Dec 15, 2014, 10:15:00 AM12/15/14
to lin...@googlegroups.com
Hi, I'm using the perl module radius_linotp.pm ( https://github.com/LinOTP/LinOTP/blob/master/auth_modules/src/freeradius_perl/radius_linotp.pm ) to connect freeradius to linotp.
You can use it like this:
- copy radius_linotp.pm to the freeradius config directory (/etc/raddb)
- edit the file /etc/linotp2/rlm_perl.ini according to your environment, for example:
URL=https://1.1.1.1/validate/simplecheck
REALM=examplerealm
RESCONF=exampleresconf
Debug=True
SSL_CHECK=False
- edit /etc/raddb/users to contain only the following line:
DEFAULT Auth-Type := perl
- edit /etc/raddb/modules/perl like this:
perl {
module = /etc/raddb/radius_linotp.pm
}
- edit the "authenticate" section of /etc/raddb/sites-enabled/default
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type perl {
perl
}
...
(see also at http://linotp.org/doc/2.6/part-installation/auth-modules/index.html#enabling-radius-authentication-with-rlm-linotp2 )
That's it!
Regards, Christian
You can use it like this:
- copy radius_linotp.pm to the freeradius config directory (/etc/raddb)
- edit the file /etc/linotp2/rlm_perl.ini according to your environment, for example:
URL=https://1.1.1.1/validate/simplecheck
REALM=examplerealm
RESCONF=exampleresconf
Debug=True
SSL_CHECK=False
- edit /etc/raddb/users to contain only the following line:
DEFAULT Auth-Type := perl
- edit /etc/raddb/modules/perl like this:
perl {
module = /etc/raddb/radius_linotp.pm
}
- edit the "authenticate" section of /etc/raddb/sites-enabled/default
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
Auth-Type perl {
perl
}
...
(see also at http://linotp.org/doc/2.6/part-installation/auth-modules/index.html#enabling-radius-authentication-with-rlm-linotp2 )
That's it!
Regards, Christian
Reply all
Reply to author
Forward
0 new messages