Shulou(Shulou.com)06/01 Report--

Experimental purpose: when using Cisco AnyConnect to dial, users input AD account password and Google dynamic code to pass authentication and obtain authorization. Cisco ASA points to FreeRADIUS for authentication, and FreeRADIUS interacts with AD and google_authenticator.

I. introduction of the environment to the topology

The experimental environment CentOS8 has two network cards, one is used to access Internet, and the other is located in the firewall inside area. Use CentOS8 (CentOS7 is also possible) to install FreeRADIUS and Google Authenticator here. Windows Server 2016 installs the AD service, and the AD installation process is not described here. Users are required to install Google-Authenticator APP on their phones. The user uses AnyConnect to dial, enter the user name and password, and enter the password + dynamic code in the password box to realize the AD account + dynamic code two-factor authentication. II. CentOS8 environment setting

System update

[root@centos8 ~] # yum update

Modify time zone

[root@centos8 /] # ln-sf / usr/share/zoneinfo/Asia/Shanghai / etc/localtime

Check to see if the time is correct

[root@centos8 /] # ll / etc/localtime

Close SElinux, temporarily close and permanently close.

[root@centos8 ~] # setenforce 0 [root@centos8 ~] # sed-I's Universe EnforcingGreater etc/selinux/config G' / etc/selinux/config

View the SElinux status.

[root@centos8 ~] # getenforcePermissive turns off the firewall (optional). The firewall is not turned off in this lab. [root@centos8 ~] # systemctl stop firewalld.service [root@centos8 ~] # systemctl disable firewalld.service III. FreeRADIUS installation and configuration 3.1 FreeRADIUS installation

Install FreeRADIUS

[root@centos8 ~] # yum install freeradius freeradius-utils

Start the radius service

[root@centos8 ~] # systemctl enable-- now radiusd.service Firewall releases radius [root@centos8 ~] # firewall-cmd-- add-service=radius-- permanent [root@centos8 ~] # firewall-cmd-- reload3.2 FreeRADIUS modifies the configuration file because FreeRadius must have access to the .Google _ authenticator token in all user directories, so it must have root permission. [root@centos8 ~] # vi / etc/raddb/radiusd.conf # user = radiusd # group = radiusd user = root uncomment pam, and radius activates PAM (Pluggable Authentication Modules) to dynamically load the verification module. [root@centos8 ~] # vi / etc/raddb/sites-enabled/default pam Activation pam,radius pam module is not activated by default. [root@centos8 ~] # ln-s / etc/raddb/mods-available/pam / etc/raddb/mods-enabled/pam edit / etc/raddb/clients.conf configuration file to accept radius authentication request from Cisco ASAv. Add the and shared key and ip address of the firewall at the end of the line. [root@centos8 ~] # vi / etc/raddb/clients.confclient 192.168.1.254 {secret = cisco shortname = CiscoASA nastype = cisco} 3.3 the FreeRADIUS service tests a new user group. If you need to deny user access, you can add users to this group. [root@centos8 ~] # groupadd radius-disabled Editor / etc/raddb/users adds the created "radius-disabled" group to the deny user groups section. [root@centos8 ~] # vi / etc/raddb/users#DEFAULT Group = = "disabled", Auth-Type: = Reject# Reply-Message = "Your account has been disabled." DEFAULT Group = = "radius-disabled", Auth-Type: = Reject Reply-Message = "Your account has been disabled." DEFAULT Auth-Type: = PAMCentOS create a new local account to test radius service. [root@centos8 ~] # useradd radlocal [root@centos8 ~] # passwd radlocal changes the password of user radlocal. New password: radpassword re-enter the new password: radpasswordpasswd: all authentication tokens have been successfully updated. Radius turns on modal mode, which is very useful. If the authentication is not successful, you can locate the cause of the error based on the error message. [root@centos8 ~] # radiusd-X create a new window to test whether the radius verification of the local account is passed. Note that Received Access-Accept indicates that the authentication is passed. [root@centos8 ~] # radtest radlocal radpassword localhost 18120 testing123Sent Access-Request Id 9 from 0.0.0.0 to 127.0.0.1 to 1812 length 78 User-Name = "radlocal" User-Password = "radpassword" NAS-IP-Address = 172.20.29.110 NAS-Port = 18120 Message-Authenticator = 0x00 Cleartext-Password = "radpassword" Received Access-Accept Id 9 from 127.0.0.1 To 127.0.0.1 radius 41546 length 20 opens the output displayed in the radius-X window as a reference. Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnelListening on proxy address * port 43164Listening on proxy address:: port 40551Ready to process requests (0) Received Access-Request Id 9 from 127.0.0.1 bound to server inner-tunnelListening on proxy address 41546 to 127.0.1 User-Name = "radlocal" (0) User-Password = "radpassword" (0) NAS-IP-Address = 172.20.29.110 (0) NAS-Port = 18120 (0) Message- Authenticator = 0xeba37c10c860860bd3dcc7bff2c5edf0 (0) # Executing section authorize from file / etc/raddb/sites-enabled/default (0) authorize {(0) policy filter_username {(0) if (& User-Name) {(0) if (& User-Name)-> TRUE (0) if (& User-Name) {(0) if (& User-Name = ~ /) {(0) if (& User-Name = ~) / /)-> FALSE (0) if (& User-Name = ~ / @ [^ @] * @ /) {(0) if (& User-Name = ~ / @ [^ @] * @ /)-> FALSE (0) if (& User-Name = ~ /\. /) {(0) if (& User-Name = ~ /\. /)-> FALSE (0) If (& User-Name = ~ / @ /) & User-Name! ~ / @ (. +)\. (. +) $/)) {(0) if (& User-Name = ~ / @ /) & User-Name! ~ / @ (. +)\. (. +) $/))-> FALSE (0) if (& User-Name = ~ /\. $/) {(0) If (& User-Name = ~ /\. $/)-> FALSE (0) if (& User-Name = ~ / @\. /) {(0) if (& User-Name = ~ / @\. /)-> FALSE (0)} # if (& User-Name) = notfound (0) # policy filter_username = notfound (0) [preprocess] = ok (0) [ Chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No'@'in User-Name = "radlocal" Looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: No EAP-Message, not doing EAP (0) [eap] = noop (0) files: users: Matched entry DEFAULT at line 69 (0) [files] = ok (0) [expiration] = noop (0) [logintime] = noop (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (0) pap: WARNING: Authentication will fail unless a "known good" password is available (0) [pap] = noop (0)} # authorize = ok (0) Found Auth-Type = pam (0) # Executing group from file / etc/raddb/sites-enabled/default (0) authenticate {(0) pam: Using pamauth string "radiusd" for pam.conf lookup (0) pam: Authentication succeeded (0) [pam] = ok (0)} # authenticate = ok (0) # Executing section post-auth from file / etc/raddb/sites-enabled/default (0) post-auth {(0) update {(0) No attributes updated (0)} # update = noop (0) [exec] = noop (0) policy remove_reply_message_if_eap {(0) if (& reply:EAP-Message & & reply:Reply-Message) {(0) If (& reply:EAP-Message & reply:Reply-Message)-> FALSE (0) else {(0) [noop] = noop (0)} # else = noop (0)} # policy remove_reply_message_if_eap = noop (0)} # post-auth = noop (0) Sent Access-Accept Id 9 from 127.0.1 41546 length 0 (0) Finished requestWaking up in 4.9 seconds. (0) Cleaning up request packet ID 9 with + 50Ready to process requests 4. SSSD installation configuration AD has been installed and configured Here are some configuration information for AD. To create a python.com domain, DNS can resolve public network addresses to prevent yum from installing software after CentOS DNS points to AD.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.