06-14-2012 09:55 AM
We are looking at a couple of 2 factor authentication methods for our Aruba VPN and I started to look at setting up Freeradius with google-authenticator PAM module.
I've gotten it to work but I can only seem to get it to work with PAP and not with CHAP or MSCHAPv2
I'm guesing that this is because that Freeradius needs to send the password 'unencrypted' to the PAM modules since the google-authenticator module will run first stripping off the OTP at the end of the password.
I followed this guide to get it working:
On our side our linux server uses Quest VAS to do backend LDAP authentication, so the only modifications I needed to make was to my /etc/pam.d/radiusd config and put in:
#%PAM-1.0 auth requisite pam_google_authenticator.so forward_pass auth requisite pam_vas3.so create_homedir get_nonvas_pass store_creds use_first_pass account sufficient pam_vas3.so account requisite pam_vas3.so echo_return
I've tried to follow some guides on getting CHAP to work but my authentication always fails. Anyone have any ideas on how I can get CHAP/MSCHAPv2 to work with PAM modules?
06-14-2012 10:58 AM
Backend authentication mechanism is subject to the limitations defined in this table:
What your are trying to achieve is similar to RSA SecureID token integration to authenticate user on the WLAN.
To my knowledge, this can only be achieved using Cisco's flavor of PEAPv1/GTK or Funk software (Juniper) EAP-TTLS.
You cannot do this with Microsoft flavor PEAPv0/MsCHAPv2 unless you store your passwords in clear text format.
Paul Gallant, Eng.
06-15-2012 07:07 AM
Paul, I did get it to work but it only works with PAP.
I'm wondering if there is any way that I can get Radius to send back a challenge after a first password login, but not sure that'll work, for example, you could authenticate with your Pin+OTP and then get prompted for your AD LDAP credentials which would be checked via LDAP module in Radius.
My big challenege with this is that I need to support all platforms (Windowz, mac, IOS, Android, etc) and comply with PCI but I don't like the fact that it uses PAP because passwords are sent clear text.
BTW, I did some more testing with my PAM modules and this is all I need for VAS:
#%PAM-1.0 auth requisite pam_google_authenticator.so forward_pass auth requisite pam_vas3.so create_homedir get_nonvas_pass store_creds use_first_pass account sufficient pam_vas3.so
If you want to do it with local *nix accounts use:
#%PAM-1.0 auth requisite pam_google_authenticator.so forward_pass auth required pam_unix.so use_first_pass
When you authenticate you have to do <password><google token>
Let me know if you try it and run into any issues, I got it running on 2 servers already.
06-15-2012 11:28 AM
Ok, you got it working with PAP but which EAP method did you use? PEAPv0, PEAPv1 or EAP-TTLS?
Are you using a EAP mechanism from which WPA2 session key can be derived from?
Is you backend user database required to store passwords in plain text format or you were able to get it working with NTHash or SSHA?
To answer your question regarding the 2 authentication layer: I'm not aware of the existence of a Wireless LAN client that supports 2 authentication challenges. The only 2 authentication layers I tried was based Microsoft Windows Clients to perform PEAPv0/MsCHAPv2 using both user AND machine authentications on Cisco WLAN and it failed. The EAPoL layer can carry only one authentication challenge at a time over the Wireless LAN. Aruba, does have a solution to address this combined user AND machine authentication. However, this is Microsoft specific and based on AD integration.
In regards to PGI compliancy, I found the following architecture very simple and effective with regards to PCI-DSS compliancy:
1- Use VDI (Virtual Desktop) with public visibility - PCI audits will be done in data center only environment
2- Use IOA (Internet Only Access) in all branch offices - NO WAN
3- Consider branch offices like home offices and provide WPA2-PSK with keys changing every 3 months for Wireless LAN Access in branch offices (You can simplify the rolling out of new key using QR Codes)
4- Flexible solution that works for any kind of device (iPhone, Android, Windows, iPAD, iPhone, Mac OSX, Linux, ...) Compatible with all Wireless LAN Clients and low roaming latency.
5- VoIP Architecture is kept outside of the VDI with native SIP Client (I'm currently working on SIPS/SRTP public gateway)
06-15-2012 11:38 AM
As I mentioned in my first message this is for Aruba VPN and not for wireless as we are trying to secure remote access. For our campus wireless we use WPA2-Enterprise and role based derivation with nat translations for specific groups to get to their servers etc.
So I'm testing now both the Windows 7 VPN client and the Cisco VPN client (not AnyConnect) and they both connect with the password being encrypted (it seems).
From the packet sniffs I did they establish an IPSec session with a key exchange and then pass credintials (encrypted) and then establish the L2TP on top of the IPSEC.
However, when I run my free radius server in debug mode (radiusd -X) I see the passwords arriving in the clear on my console as these are then passed to the PAM modules. This is why I was thinking that the password sent over the wire from the VPN client to the Aruba VPN server was sent in clear text, but this does not seem to be the case.
So this is why I was wondering if this could pass PCI compliance having remote users send their AD passwords with PAP over an IPSEC/L2TP connection.
10-01-2012 11:04 AM - edited 10-01-2012 11:05 AM
I started a little hack here that does 2 factor in radius with AD and google authenticator. self service portal. It is a 2day ugly hack but works. (ONLY PAP for now. Will look at inner tunnel and EAP TTLS if that works?)
11-11-2014 09:12 AM
You guys might want to checkout this basic guide on how to use google to factor authentication with the radius free server: