Thursday 27 August 2015

Setup LinOTP with FreeRadius

We shall firstly install and configure LinOTP from thier repositories (I will be using Debian for this tutorial)

Add the following line to your /etc/apt/sources.list:
deb http://www.linotp.org/apt/debian jessie linotp
and then install the linotp packages:
apt-get update && apt-get install linotp linotp-useridresolver linotp-smsprovider linotp-adminclient-cli linotp-adminclient-gui libpam-linotp
Install mysql server and client:
apt-get install mysql-server mysql-client
Setup useraccount called 'linotp2' and database named 'LinOTP2' with password.

Go to LinOTP management panel: https://10.0.3.128/manage/

Add LDAP user directory: LinOTP Config >> Useridresolvers >> New >> LDAP and fill in as below:
Resolver Name: MyDomain
Server-URI: <domaincontroller-hostname>
BaseDN: OU=Users,DC=my,DC=domain
BindDN: OU=Administrator,OU=Users,DC=my,DC=domain
Install free-radius and linotp radius perl module:
apt-get install freeradius linotp-freeradius-perl
We need configure freeradius:
cp -a /etc/freeradius /etc/freeradius_original
rm /etc/freeradius/{clients.conf,users}

nano /etc/freeradius/clients.conf

#arbitrary name of the authentification asking client (i.e. VPN server)
client vpn {
        ipaddr  = 10.0.0.0 #IP of the client
        netmask = 8           
        secret  = 'mysecret' #shared secret, the client has to provide
}
set default module:
nano /etc/freeradius/users

DEFAULT Auth-type := perl
Insert:
module = /usr/lib/linotp/radius_linotp.pm

into /etc/freeradius/modules/perl (between perl parenthesis / nest)
Configure the linotp module:
nano /etc/linotp2/rlm_perl.ini

#IP of the linotp server
URL=https://10.1.2.3:443/validate/simplecheck
#optional: limits search for user to this realm
REALM=my-realm
#optional: only use this UserIdResolver
#RESCONF=flat_file
#optional: comment out if everything seems to work fine
Debug=True
#optional: use this, if you have selfsigned certificates, otherwise comment out
SSL_CHECK=False
 Create the virtual server for linotp:
nano /etc/freeradius/sites-available/linotp

authorize {

#normalizes maleformed client request before handed on to other modules (see '/etc/freeradius/modules/preprocess')
        preprocess
       
        #  If you are using multiple kinds of realms, you probably
        #  want to set "ignore_null = yes" for all of them.
        #  Otherwise, when the first style of realm doesn't match,
        #  the other styles won't be checked.

#allows a list of realm (see '/etc/freeradius/modules/realm')
        IPASS

#understands something like USER@REALM and can tell the components apart (see '/etc/freeradius/modules/realm')
        suffix

#understands USER\REALM and can tell the components apart (see '/etc/freeradius/modules/realm')
        ntdomain
      
        #  Read the 'users' file to learn about special configuration which should be applied for
        # certain users (see '/etc/freeradius/modules/files')
        files
      
        # allows to let authentification to expire (see '/etc/freeradius/modules/expiration')
        expiration

        # allows to define valid service-times (see '/etc/freeradius/modules/logintime')
        logintime

        # We got no radius_shortname_map!
        pap
}

#here the linotp perl module is called for further processing
authenticate {
        perl
}

Activate the virtual server:

ln -s ../sites-available/linotp /etc/freeradius/sites-enabled
You should now ensure you DELETE the inner-tunnel and default configuration within the sites-enabled folder to get this working properly.
service freeradius restart
** Note: If you get an error like follows when starting freeradius e.g.:

freeradius  Unknown value perl for attribute Auth-Type

try commenting out the default auth type in /etc/freeradius/users **

Test FreeRADIUS:

apt-get install freeradius-utils

radtest USERNAME PINOTP IP_OF_RADIUSSERVER NAS_PORTNUMBER SECRET

e.g.: radtest username 1234151100 10.1.2.3 0 56w55Rge0m1p4qj nasname 10.1.2.3

You can also test with https://linotp-server>/validate/check?user=myuser&pass=<pin><access-code>

0 comments:

Post a Comment