[Labs] Using Identity Platform as a RADIUS Client to support MFA with OTP tokens (e.g. SecurID, etc)

Background

With the 16.8 monthly release of Centrify Identity Service and Privilege Service, Centrify is adding the ability for the Identity  Platform to act as a RADIUS client.  This will open the opportunity for CIS and CPS users to have authentication profiles for MFA products that support RADIUS (e.g. RSA, Symantec, CA, Vasco, etc).

This lab will allow you to set up a Linux server to act as your AD-integrated OTP+RADIUS server.  Then we'll configure CIS/CPS to act as a RADIUS client and support it as an additional MFA option.

Disclaimers

• This is a lab entry.  Production designs require planning for people, process and technology.
• RSA SecurID, Symantec VIP, Vasco, YubiKey, Google Authenticator, FreeRADIUS and CentOS are registered trademarks of their respective owners.

Lab Design
 The proposed lab looks as follows:

As you can see, we're using the following components:

• Identity Service or Privilege Service (can be the on-premises version of CPS too)
• Cloud connector:  enabled for AD Bridging and RADIUS client
• Centos 6.x System:  this system acts as
  • RADIUS Server > FreeRADIUS configured for PAM
  • Google Authenticator PAM Module > will provide OTP codes for enrolled users
  • Centrify DirectControl > Provides AD integration and NSS/PAM based identification/authentication
• Active Directory:  Provides infrastructure identity services (directory, authentication, policy)

Implementation
In this lab we will not cover the setup of an identity service instance and cloud connector.  Some resources:

• Getting Started with Centrify Identity Service (Microsite)
• Identity Service Support FAQ
• Centrify Support's YouTube Channel
• Identity Service Documentation

 What you'll need:

• A CentOS 6.x system configured in the same subnet as the Cloud Connector or with TCP 1812 connectivity.
• Working knowledge of Identity Service or Privilege Service
• Familiarity with Pluggable Authentication Modules (PAM)
• Basic DirectControl knowledge (install, join AD)
• An OATH OTP client (Google authenticator, Yubico authenticator, etc)

This lab starts assuming that you can log in to your Identity Service or Privilege Service instance with a user with the System Administrator right.


RADIUS+OTP Server Setup
Configuration Overview

1. Adding the EPEL repo to be able to install Google Authenticator
2. Install Google Authenticator
3. Install FreeRADIUS and related tools
4. Configure FreeRADIUS for PAM
5. Install Centrify DirectControl and join Active Directory
6. Enroll users for Google Authenticator OTP
7. Test your configuration with the command line
8. Configure Identity Service/Privilege Service as a RADIUS client

Adding the EPEL repo for Centos 6.x 

$ wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm
$ sudo yum install epel-release-latest-6.noarch.rpm -y
[truncated]
Installed:
  epel-release.noarch 0:6-8

 Installing Google Authenticator

$ sudo yum install google-authenticator -y
[truncated]
Installed:
  google-authenticator.x86_64 0:0-0.3.20110830.hgd525a9bab875.el6

 Install FreeRADIUS and Tools

$ sudo yum install freeradius freeradius-utils -y
[truncated]
Installed:
  freeradius.x86_64 0:2.2.6-6.el6_7   freeradius-utils.x86_64 0:2.2.6-6.el6_7

Dependency Installed:
  perl-DBI.x86_64 0:1.609-4.el6

Configuring FreeRADIUS for PAM
a) User and Group for the Radius Daemon
To  allow the radiusd daemon to traverse the filesystem to read the Google Authenticator config files on each user's home directory, you have to change the user/group in the configuration file.  This may be undesirable in a production environment.
Edit the  /etc/raddb/radiusd.conf and find:

user = radiusd
group = radiusd

Change to

user = root
group = root

and save the file.

b) Enable PAM for the Default Site
Edit the  /etc/raddb/sites-enabled/default  and find:

        #  Pluggable Authentication Modules.
#       pam

uncomment the PAM module and save.

        pam

c) Configure Users for PAM
Edit the  and find

#DEFAULT        Group == "disabled", Auth-Type := Reject
#               Reply-Message = "Your account has been disabled."

uncomment and add the line as follows:

DEFAULT Group == "disabled", Auth-Type := Reject
                Reply-Message = "Your account has been disabled."
DEFAULT Auth-Type := PAM

 Tip:  To check your work so far

1. In one session window, run the radius daemon in verbose mode
   

   $ sudo radiusd -X
   [truncated]
   Ready to process requests.

   If there are any issues with the current configuration, you can verify it with the output.
2. Open another session and create a new user
   

   $ sudo useradd testing
   $ sudo passwd testing
   New password:
   BAD PASSWORD: it is based on a dictionary word
   Retype new password:
   passwd: all authentication tokens updated successfully.
   

   Now you have a user to test your RADIUS server via PAM.
3. In that same session, use the radtest utility with the client set for the localhost client.
   

    radtest testing Mysecret123! localhost 0  testing123       Sending Access-Request of id 204 to 127.0.0.1 port 1812
           User-Name = "testing"
           User-Password = "Secret123!"
           NAS-IP-Address = 192.168.81.34
           NAS-Port = 0
           Message-Authenticator = 0x00000000000000000000000000000000
   rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=204, length=20
   

   On the first window, you'll see the verbose output somewhat like this:
   

   rad_recv: Access-Request packet from host 127.0.0.1 port 53367, id=204, length=77
           User-Name = "testing"
           User-Password = "Mysecret123!"
           NAS-IP-Address = 192.168.81.34
           NAS-Port = 0
           Message-Authenticator = 0x8c11ad4b5c1dbd597764716d95d3d9e3
   # Executing section authorize from file /etc/raddb/sites-enabled/default
   [truncated]
   Sending Access-Accept of id 204 to 127.0.0.1 port 53367
   

   This verifies that things are set up correctly so far.  Cancel radiusd debug (CTRL+C)

Install Centrify DirectControl and Join AD
We'll use the Centrify Repo and join AD in Workstation mode.

$ sudo yum install CentrifyDC -y
[truncated]
Installed:
  CentrifyDC.x86_64 0:5.3.1-398
$ sudo adjoin -w -u [user.name] domain.name
user.name@DOMAIN.NAME's password:
Using domain controller: dc.centrify.vms writable=true
Join to domain:centrify.vms, zone:Auto Zone successful

Centrify DirectControl started.

At this point, if you want another sanity check, you can repeat the same debugging but with an AD user credential.

Configure the Radius PAM directives for Google Authenticator
Edit the /etc/pam.d/radiusd perform two modifications.
Add  this line on the top of the file auth required pam_google_authenticator.so and comment the auth module.
Here what we'll achieve is to provide the Google Authenticator code as our one-time password via RADIUS.  Other combinations of PAM modules can achieve a Password+Code. 
The final result should look like this:

#%PAM-1.0
auth       required     pam_google_authenticator.so

#auth       include     password-auth
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
session    include      password-auth

This configuration challenges for the OTP code only and ignores the password.

Enroll an AD user with Google Authenticator

1. Log in with a test AD user to your Linux system
2. Run the google authenticator setup (google-authenticator)
   

   Last login: Thu Aug  4 06:22:50 2016 from 192.168.81.11
   $ google-authenticator
   https://www.google.com/[truncated]  <= copy this URL and paste it on your browser
   Your new secret key is: ETIQLTKPBQV4TVLH
   Your verification code is 2647620
   Your emergency scratch codes are:
     08703664
   [truncated]
   

   Follow the prompts until you complete setup.
3. Paste the URL in a web browser and use your Authenticator QR Capture function to capture the code.
   Alternatively you can add the code manually.
4. Repeat this process for all your test users.

Verify RADIUS functionality with OTP

1. In a session, open Radiusd in verbose mode.  [sudo radiusd -X]
2. In another browser, test the authentication with the code from the OATH OTP authenticator.
   radtest [username] [oath otp code] localhost 0 [pharaphrase]
   In my environment it looks like this:
   

You have verified functionality.

Set up the Cloud Connector as a RADIUS Client
On the FreeRADIUS Server you have to set up the connector as a client.

1. If you haven't done so, close the radiusd debugger.
2. Edit the following file  /etc/raddb/clients.conf go to the end and add:
   

   client member2.centrify.vms {
           secret          = [Insert Complex String Here]
           shortname       = [Friendly Name]
   }
   

   Notes:
   - You can use the IP address or FQDN of your RADIUS-enabled connector
   - You must choose a decent complex string as your secret and save it for the next section.
3. Save the file.

Note:  In some Linux systems/versions you may need to set SELinux to permissive.  This is to allow radiusd to interact with PAM.

Centrify Identity Service or Privilege Service Setup
Overview

1. Configure the RADIUS Server
2. Configure Connector for RADIUS
3. Enable RADIUS in your Policy
4. Enable 3rd Party RADIUS in your Authentication Profile(s)
5. Verify Functionality
6. Modify RADIUS service startup

To configure the RADIUS Server
Go to Cloud Manager > Settings > Authentication > Radius Connections > Servers Tab and press Add
Name: A descriptive name (e.g. SecurID PIN+Code)
Description: Optional
Server IP Address:  The IP address of your server
Port:  Change if not default (1812)
Server Secret:  Must match the secret you set up in the previous step.


Configuring a Connector for RADIUS
You need at least one connector enabled for RADIUS that can reach the RADIUS server.
Go to Cloud Manager > Settings > Network > Cloud Connectors > [connector] > RADIUS > and Check
"Enable connections to external RADIUS servers" 

Also make sure that the RADIUS Client service is enabled.

Enable RADIUS in your User Authentication Policy
Go to Cloud Manager > Policies > [click on the policy that applies to the user(s)] > Expand User Security Policies and Click RADIUS.  Set "Allow 3rd Party RADIUS" to Yes and Save.


Enable 3rd Party RADIUS in any corresponding Authentication Profiles
Cloud Manager > Settings> Authentication Profiles > [click profile that you want to enable] and check
"3rd Party RADIUS Authentication" and press OK.  Repeat with other profiles if needed.


Verify Functionality

1. Launch radiusd in debug mode (sudo radiusd -X) on your Linux system.
2. Trigger a Step-up protected event in CIS/CPS  (private login, secure access, password checkout)
   
   Monitor the debug log for any errors.  If everything goes as expected, keep testing with other users.

Tidy-up:  Set up the Radius Service for Automatic Startup

$ sudo chkconfig radiusd on
$ sudo service radiusd start

Quick Video