Add the following line to your /etc/apt/sources.list:
deb http://www.linotp.org/apt/debian jessie linotpand then install the linotp packages:
apt-get update && apt-get install linotp linotp-useridresolver linotp-smsprovider linotp-adminclient-cli linotp-adminclient-gui libpam-linotpInstall mysql server and client:
apt-get install mysql-server mysql-clientSetup useraccount called 'linotp2' and database named 'LinOTP2' with password.
Go to LinOTP management panel: https://10.0.3.128/manage/
Add LDAP user directory: LinOTP Config >> Useridresolvers >> New >> LDAP and fill in as below:
Resolver Name: MyDomainInstall free-radius and linotp radius perl module:
Server-URI: <domaincontroller-hostname>
BaseDN: OU=Users,DC=my,DC=domain
BindDN: OU=Administrator,OU=Users,DC=my,DC=domain
apt-get install freeradius linotp-freeradius-perlWe need configure freeradius:
cp -a /etc/freeradius /etc/freeradius_originalset default module:
rm /etc/freeradius/{clients.conf,users}
nano /etc/freeradius/clients.conf
#arbitrary name of the authentification asking client (i.e. VPN server)
client vpn {
ipaddr = 10.0.0.0 #IP of the client
netmask = 8
secret = 'mysecret' #shared secret, the client has to provide
}
nano /etc/freeradius/usersInsert:
DEFAULT Auth-type := perl
module = /usr/lib/linotp/radius_linotp.pmConfigure the linotp module:
into /etc/freeradius/modules/perl (between perl parenthesis / nest)
nano /etc/linotp2/rlm_perl.iniCreate the virtual server for linotp:
#IP of the linotp server
URL=https://10.1.2.3:443/validate/simplecheck
#optional: limits search for user to this realm
REALM=my-realm
#optional: only use this UserIdResolver
#RESCONF=flat_file
#optional: comment out if everything seems to work fine
Debug=True
#optional: use this, if you have selfsigned certificates, otherwise comment out
SSL_CHECK=False
nano /etc/freeradius/sites-available/linotp
authorize {
#normalizes maleformed client request before handed on to other modules (see '/etc/freeradius/modules/preprocess')
preprocess
# If you are using multiple kinds of realms, you probably
# want to set "ignore_null = yes" for all of them.
# Otherwise, when the first style of realm doesn't match,
# the other styles won't be checked.
#allows a list of realm (see '/etc/freeradius/modules/realm')
IPASS
#understands something like USER@REALM and can tell the components apart (see '/etc/freeradius/modules/realm')
suffix
#understands USER\REALM and can tell the components apart (see '/etc/freeradius/modules/realm')
ntdomain
# Read the 'users' file to learn about special configuration which should be applied for
# certain users (see '/etc/freeradius/modules/files')
files
# allows to let authentification to expire (see '/etc/freeradius/modules/expiration')
expiration
# allows to define valid service-times (see '/etc/freeradius/modules/logintime')
logintime
# We got no radius_shortname_map!
pap
}
#here the linotp perl module is called for further processing
authenticate {
perl
}
Activate the virtual server:
ln -s ../sites-available/linotp /etc/freeradius/sites-enabledYou should now ensure you DELETE the inner-tunnel and default configuration within the sites-enabled folder to get this working properly.
service freeradius restart** Note: If you get an error like follows when starting freeradius e.g.:
freeradius Unknown value perl for attribute Auth-Type
try commenting out the default auth type in /etc/freeradius/users **
Test FreeRADIUS:
apt-get install freeradius-utils
radtest USERNAME PINOTP IP_OF_RADIUSSERVER NAS_PORTNUMBER SECRET
e.g.: radtest username 1234151100 10.1.2.3 0 56w55Rge0m1p4qj nasname 10.1.2.3
You can also test with https://linotp-server>/validate/check?user=myuser&pass=<pin><access-code>
0 comments:
Post a Comment