KB ID 0001256
Problem
This was asked as a question on Experts Exchange this week, and it got my interest. A quick search turned up a bunch of posts that said, yes this is possible, and you deploy it with FreeRADIUS and it works great. The problem was, a lot of the information is a little out of date, and some of it is ‘wrong enough’ to make the non-technical types give up. But I persevered, and got it to work.
Disclaimer: This is not an exercise in deploying AnyConnect, I’ve got that covered to death all over the website, use the search function above, or simply go to the following article;
Cisco ASA 5500 AnyConnect Setup From Command Line
So before proceeding I’ll assume you have AnyConnect setup, and you can connect with a local username.
Disclaimer 2: Please don’t email me with questions like, “Can I take this and integrate it with Active Directory, eDirectory” etc. Or “I’m trying to get this to work with ‘insert name of some Linux distro” and I’m getting an error.
Prerequisite: You will need to have the Google-Authenticator app on a device, (probably an IOS or Android phone), and have that running, and ready to accept a new identity/account.
Solution
Setup FreeRADIUS
I’m not a Linux guru, I just downloaded the latest version of Ubuntu Server (16.04.1 at time of writing). and deployed it as an ESX host.
Non Linux Types Note: A lot of the commands below require you to either be logged on as root, or ‘su‘ to root, (if that’s not an option, you will need to prefix the commands with ‘sudo‘.
Ubuntu Enable Root Account: I quickly learned that these days the root account is disabled, (for sensible reasons). However because of the way FreeRADIUS works, it needs to run under the root account.
[box]
sudo passwd root
ENTER AND CONFIRM PASSWORD
sudo passwd -u root
[/box]
Ubuntu: Install Prerequisites: We need to get all current updates, then install NTP, (because the authenticator keys are time specific). Then there are some tools that we will need to install the Google Authenticator software.
[box]
apt-get update apt-get install autotools-dev apt-get install autoconf apt-get install libtool apt-get install ntp apt-get install build-essential libpam0g-dev freeradius git libqrencode3
[/box]
Install Google Authenticator: This is quite cool, (if like me you don’t do a lot of Linux). We need to connect to a folder on a web server, then move into that ‘Directory’ and install the software.
[box]
cd ~ git clone https://github.com/google/google-authenticator.git cd google-authenticator/libpam/ ./bootstrap.sh ./configure make make install
[/box]
Configuring FreeRADIUS and Google-Authenticator
Ubuntu has nano installed by default thats what I’m going to use, if you’re a sandal wearing ‘vi’ user, then feel free to use that instead.
First we are going to change FreeRADIUS, so it runs under the ‘root’ account.
[box]nano /etc/freeradius/radiusd.conf[/box]
At the bottom of the file, change the user and group from freerad to root, save the file and exit.
Like so:
Next we are going to create a group called radius-disabled, then if you need to deny a user access, you can simply make them a member of this group.
[box]addgroup radius-disabled[/box]
Then configure FreeRADIUS to reject members of that group.
[box]nano /etc/freeradius/users[/box]
Locate the lines indicated below;
Change and un-comment them, to add the following text;
[box]
DEFAULT Group == "radius-disabled", Auth-Type := Reject Reply-Message = "Your account has been disabled." DEFAULT Auth-Type := PAM
[/box]
So it looks like below, then save and exit the file;
Enable Pluggable Authentication Mode (PAM): Edit the following file;
[box]nano /etc/freeradius/sites-enabled/default[/box]
Locate the line with ‘pam’ in it and uncomment it (remove the hash/pound sign), like so
Before;
After;
Exit and save the changes.
Configure FreeRADIUS to use Google Authenticator: Edit the following file;
[box]nano /etc/pam.d/radiusd[/box]
Locate all the lines that start with an ‘@’ symbol and comment them out, (prefix them with a “#”), then paste the following text onto the end of the file;
[box]
auth requisite /usr/local/lib/security/pam_google_authenticator.so forward_pass auth required pam_unix.so use_first_pass
[/box]
Before;
After;
Testing Google-Authenticator and FreeRADIUS
The easiest way to do this is setup a test user, then create a password for them, then assign a Google-Authenticator Code to that user, on your Linux server;
[box]
adduser tommytester ENTER AND CONFIRM PASSWORD su tommytester ENTER THE PASSWORD google-authenticator
[/box]
Now you can either scan the QR code into the Google Authenticator app on your phone, or type in the ‘secret-key‘.
Once done, you should be looking at a 6 digit number, that changes every 30 seconds;
Test Authentication on the FreeRADIUS Server first! To do that issue the following command;
[box]radtest tommytester password456743 localhost 18120 testing123[/box]
Note: the password for tommytester is ‘password‘ and the 6 digit code is added to the end of it, the testing123 value is set within FreeRadius in the /etc/freeradius/clients.conf file.
Successful Authentication
[box]
tommytester@RADIUS-HOST:/home/petelong$ radtest tommytester password302971 localhost 18120 testing123 Sending Access-Request of id 165 to 127.0.0.1 port 1812 User-Name = "tommytester" User-Password = "password302971" NAS-IP-Address = 192.168.110.85 NAS-Port = 18120 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=165, length=20 tommytester@RADIUS-HOST:/home/petelong$
[/box]
Unsuccessful Authentication
[box]
tommytester@RADIUS-HOST:/home/petelong$ radtest tommytester password302973 localhost 18120 testing123 Sending Access-Request of id 36 to 127.0.0.1 port 1812 User-Name = "tommytester" User-Password = "password302973" NAS-IP-Address = 192.168.110.85 NAS-Port = 18120 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=36, length=20 tommytester@RADIUS-HOST:/home/petelong$
[/box]
Troubleshooting: If there’s a problem, make sure that the time on the FreeRADIUS server is correct, (is NTP getting blocked at the firewall?) Then what I do is, SSH into the server from another session, and enable debugging, then back at the console test authentication again, then you can see the debugging output on the other screen, which will point you in the right direction.
To enable debugging;
[box]
service freeradius stop freeradius -XXX
[/box]
Add the Cisco ASA Firewall as a RADIUS Client: You need to add the firewall as a ‘client’ before it can authenticate. Edit the following file;
[box]nano /etc/freeradius/clients.conf[/box]
Add the following test to the end of the file, (cisco123 is the shared secret we will enter on the ASA later);
[box]
client 192.168.110.1 { secret = cisco123 shortname = CiscoASA nastype = cisco }
[/box]
Configure Cisco ASA for FreeRADIUS Authentication
On the ASA you create an AAA group, set its authentication type to RADIUS, then add the FreeRADIUS server as a host, specify the secret key you used above. REMEMBER you need to specify the ports or authentication will fail, (you get a no response error).
[box]
aaa-server PNL-RADIUS protocol radius aaa-server PNL-RADIUS (inside) host 192.168.110.85 authentication-port 1812 accounting-port 1813 key cisco123 radius-common-pw cisco123 exit
[/box]
The ASA also need to have the correct time for authentication to work, I’ve covered that elsewhere, run through the following article;
Cisco ASA – Configuring for NTP
Change AnyConnect AAA Authentication Method: With nothing set, your AnyConnect is probably using its LOCAL database of usernames and passwords, we now need to change it to use the RADIUS host we just setup. You do that in the AnyConnect’s ‘tunnel-group general-attribures’ section. Issue a show run tun command, to see the tunnel groups listed.
[box]
Petes-ASA# show run tun
tunnel-group ANYCONNECT-PROFILE type remote-access
tunnel-group ANYCONNECT-PROFILE general-attributes
address-pool ANYCONNECT-POOL
default-group-policy GroupPolicy_ANYCONNECT-PROFILE
tunnel-group ANYCONNECT-PROFILE webvpn-attributes
group-alias ANYCONNECT-PROFILE enable
[/box]
Then add your RADIUS GROUP as the authentication server.
[box]
Petes-ASA# tunnel-group ANYCONNECT-PROFILE general-attributes Petes-ASA(config-tunnel-general)# authentication-server-group PNL-RADIUS
[/box]
Test RADIUS Authentication on the Cisco ASA First: I’ve covered this in the past see the following article;
Cisco – Testing AAA Authentication (Cisco ASA and IOS)
Remember that the password will be the user password, followed by the 6 digit number displayed on the authenticator.
[box]
Petes-ASA# test aaa-server authentication PNL-RADIUS host 192.168.110.85 username tommytester password password125689
INFO: Attempting Authentication test to IP address <192.168.110.85> (timeout: 12 seconds)
INFO: Authentication Successful
Petes-ASA#
[/box]
Or. if you prefer to use the ASDM;
Finally you can test authentication from your remote AnyConnect client.
Related Articles, References, Credits, or External Links
NA
Hi,
What Linux distro are you using (Linux is not really my strongest subject 🙂
P
look easy enough with your detailed instructions.
thanks!
John
looks great! I will try this. 🙂
What if you needed to create a VPN user that was required to NOT have 2 factor authentication?
Create another connection profile that uses another aaa method.
Pete
Thanks for this write-up, it’s most helpful. I’ve run through it on a couple of Mint VMs for test environments now, one worked fine but the other reported it couldn’t find aclocal when running the bootstrap.sh. The resolution for this was to install the automake package as well.
ThanQ
Hello, thanks for the post.
I did this step “git clone https://github.com/google/google-authenticator.git” and tried to get in libpam directory. But there is no such directory and when I open github there is not as well.
looks like an issue on GitHub https://github.com/arcanericky/ga-cmd/issues/12
On github the project is also changed do you have to use:
git clone https://github.com/google/google-authenticator-libpam
Cheers Erik!
which version of anyconnect client you use?
This was done with v4 I think.
Thanks for this great post. I configured to use FreeRadius + MS Active Directory + Google Authenticator to authenticate the VPN users. My question is, is there a good way to let user to generate the QR code themselves? Like go to a link and generate by clicking on the URL. currently I had to ask users to login to FreeRadius server using the command line to generate the codes. Any suggestions? thanks.
yayali
Could you post the step that you did to get it to work with AD
Hi- could you please share the steps for free radius+ google Auth+ AD integration pls for vpn users.
instead of doing git clone to get google-authenticator, it is available as an ubuntu package:
apt-get install freeradius libpam-google-authenticator
and then in /etc/pam.d/radiusd, comment out the existing include’s and set:
auth requisite pam_google_authenticator.so forward_pass
auth required pam_unix.so use_first_pass
If you use pbis/likewise lwsmd for AD authentication, change the last line in /etc/pam.d/radiusd to:
auth required pam_lsass.so use_first_pass
When testing AD accounts using radtest, specify the username as domain\\username. If your password has an exclamation point in it, surround the entire password with single quotes.
Am using cisco router instead of ASA firewall for cisco anyconnect, what configuration should I should use on router?
Sorry Richard, I’ve never done it and I don’t have one to work it out for you. 🙁
P
144/5000
Hi Peter,
Thank you for this great documentation.
Do you know whether you can also assign fixed IP addresses to the user?
Best wishes
Daniel
Not that I’m aware of.
P
This setting is inside ASA configuration. I don’t remember the exact place.
If you are using Authentication via LDAP you can use LDAP map to set this in an LDAP attibute.
Any one else ave trouble with: apt-get install build-essential libpam0g-dev freeradius git libqrencode3
root@ancs-ubu:/# sudo apt-get install build-essential libpam0g-dev freeradius git libqrencode3
Reading package lists… Done
Building dependency tree
Reading state information… Done
E: Unable to locate package libqrencode3
Use sudo apt-get install build-essential libpam0g-dev freeradius git libqrencode4
I figured out the issue. The 3 should now be a 4
sudo apt-get install build-essential libpam0g-dev freeradius git libqrencode4
We already have winows Radius. Can you create a doc with those steps 🙂
https://www.petenetlive.com/KB/Article/0001474
And connect to 2fa with windows NPS
Solved…Path has changed… /etc/freeradius/3.0/radiusd.conf
I am unable to locate the libqrencode3 package. Who else faced this issue?