Thank you, it is collected well. I copied some part of configuration :)
↧
Re: How to configure EdgeRouter Lite via CLI – Part 1
↧
Re: FreeRADIUS 3.0 with Two-Factor Authentication (2FA)
Any chance you could fix your post to make it easier to copy? Lot of unprintable characters in there.
↧
↧
Re: FreeRADIUS 3.0 with Two-Factor Authentication (2FA)
Could you be a little more specific? I was able to copy the Dockerfile to a text editor just fine.
↧
Re: FreeRADIUS 3.0 with Two-Factor Authentication (2FA)
Can you not see the boxes before and after some of the lines in the section after "Without further ado, below is my Dockerfile that I wrote that satisfies my needs." ?
↧
Re: FreeRADIUS 3.0 with Two-Factor Authentication (2FA)
I guess not. Could you please attach a screenshot?
↧
↧
Re: FreeRADIUS 3.0 with Two-Factor Authentication (2FA)
↧
Re: FreeRADIUS 3.0 with Two-Factor Authentication (2FA)
I think I fixed it. Could you please try again?
↧
Re: FreeRADIUS 3.0 with Two-Factor Authentication (2FA)
Looks good now. No more funky chars.
↧
Re: FreeRADIUS 3.0 with Two-Factor Authentication (2FA)
Thanks for bringing it to my attention!
↧
↧
Re: TACACS+ (tac_plus daemon) ACL
Hi,
I've multiple devices that I want to make authentication/authorization from a tac+ server, most of them are cisco routers and switches, and I would need to have different privilege level for generally routers and switches, where ppl could access routers more freely than switches in general.
Now I've read that post and I thought maybe creating one acl entriy for each device list would help me do this, but my question here, can I apply two or more acl entries for the same service defined for only one group?
Thanks,
Mina
↧
Re: TACACS+ (tac_plus daemon) ACL
Unfortunately, I am unsure if you could do it or not. You'll have to try it out.
↧
Re: F5 BIG-IP LTM VE Initial Configuration
Thank you! Your guide was helpful for me!
↧
Re: Enabling AAA on Cisco ASA
When I enter this command in Cisco ASA 5505 in packet tracer, it shows "Invalid command".
What should I do in order to make it work in packet tracer ?
↧
↧
Re: Enabling AAA on Cisco ASA
It's possible it's not supported in Packet Tracer. You may want to download ASAv to practice the full command set. Alternatively, you may want to investigate how to run the ASA image on GNS3 or EVE-NG.
↧
Re: Adding Two-Factor Authentication to FreeRADIUS
I setup ssh with google-authentiactor first and tested my user That worked as expected.
Then I tried setting up freeradius as documented here. I used option 1 as it was easiest.
But when I try it using radtest it continues to fail
I am using
radtest [username] [Password][google-autheticator six digits at end of password] [IP] [port]
I get as follows even with a user/password and google auth that should work
root@freeradius:~# radtest username password123456 10.0.101.250 18120 testing123
Sent Access-Request Id 156 from 0.0.0.0:38462 to 10.0.101.250:1812 length 78
User-Name = "username"
User-Password = "password123456"
NAS-IP-Address = 10.0.101.250
NAS-Port = 18120
Message-Authenticator = 0x00
Cleartext-Password = "password123456"
Received Access-Reject Id 156 from 10.0.101.250:1812 to 0.0.0.0:0 length 20
(0) -: Expected Access-Accept got Access-Reject
running in debug I get the following
Mon Jan 6 16:43:53 2020 : WARNING: (0) pap: No "known good" password found for the user. Not setting Auth-Type
Mon Jan 6 16:43:53 2020 : WARNING: (0) pap: Authentication will fail unless a "known good" password is available
I tried with and without my domain behind my username with same results.
seems I missed editing /etc/freeradius/users
now I get
Mon Jan 6 16:58:38 2020 : Error: /etc/freeradius/3.0/mods-config/files/authorize[184]: Parse error (check) for entry DEFAULT: Unknown or invalid value "PAM" for attribute Auth-Type
Mon Jan 6 16:58:38 2020 : Error: Failed reading /etc/freeradius/3.0/mods-config/files/authorize
Mon Jan 6 16:58:38 2020 : Error: /etc/freeradius/3.0/mods-enabled/files[9]: Instantiation failed for module "files"
and missed
/etc/freeradius/sites-enabled/default
was getting similar messages as above
Ah had to enable the pam module via
cd /etc/freeradius/3.0/mods-enabled/
ln -s ../mods-available/pam .
Now I get
Mon Jan 6 17:14:10 2020 : ERROR: (0) pam: pam_authenticate failed: Authentication failure
Mon Jan 6 17:14:10 2020 : Debug: (0) modsingle[authenticate]: returned from pam (rlm_pam)
Mon Jan 6 17:14:10 2020 : Debug: (0) [pam] = reject
Mon Jan 6 17:14:10 2020 : Debug: (0) } # authenticate = reject
Mon Jan 6 17:14:10 2020 : Debug: (0) Failed to authenticate the user
At least now I am using pam
added edited /etc/pam.d/radiusd to look as
auth requisite pam_google_authenticator.so forward_pass debug
auth required pam_unix.so use_first_pass debug
now in /var/log/auth.log I get the following
Jan 6 18:10:14 freeradius radiusd(pam_google_authenticator)[8642]: debug: start of google_authenticator for "jefftest"
Jan 6 18:10:14 freeradius radiusd(pam_google_authenticator)[8642]: debug: Secret file permissions are 0400. Allowed permissions are 0600
Jan 6 18:10:14 freeradius radiusd(pam_google_authenticator)[8642]: debug: "/na/homes/jefftest/.google_authenticator" read
Jan 6 18:10:14 freeradius radiusd(pam_google_authenticator)[8642]: debug: shared secret in "/na/homes/jefftest/.google_authenticator" processed
Jan 6 18:10:14 freeradius radiusd(pam_google_authenticator)[8642]: debug: no scratch code used from "/na/homes/jefftest/.google_authenticator"
Jan 6 18:10:14 freeradius radiusd(pam_google_authenticator)[8642]: Accepted google_authenticator for jefftest
Jan 6 18:10:14 freeradius radiusd(pam_google_authenticator)[8642]: debug: "/na/homes/jefftest/.google_authenticator" written
Jan 6 18:10:14 freeradius freeradius[8642]: pam_unix(radiusd:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=jefftest
the blanks seem to be what is going wrong any suggestions?
↧
Re: Adding Two-Factor Authentication to FreeRADIUS
To get mine working I used the following 3 lines for my /etc/pam.d/radiusd
auth requisite pam_google_authenticator.so forward_pass debug
@include common-account
@include common-password
I verified it worked with the proper password and google auth code
and that it failed if the password was wrong or if it had a bad google auth code.
I used
@include common-account
@include common-password
instead of
auth required pam_unix.so use_first_pass
line that is in this document. It was continually failing for me.
↧
Re: Adding Two-Factor Authentication to FreeRADIUS
Glad that your instance is working now! Which OS are you using? This seems to be the case in CentOS.
↧
↧
Re: Adding Two-Factor Authentication to FreeRADIUS
I think it is because I am using winbind with Active Directory. I am using Ubuntu 18.04 for my freeradius server.
↧
Re: Adding Two-Factor Authentication to FreeRADIUS
Gotcha, thanks for posting your experience! I’m sure it’ll help someone in the future. Happy New Year!
↧
Re: Damn Small Linux VM For Home Lab
were you able to connect to other linux boxes from DSL? I was not.
↧