With the 16.8 monthly release of Centrify Identity Service and Privilege Service, Centrify is adding the ability for the Identity Platform to act as a RADIUS client. This will open the opportunity for CIS and CPS users to have authentication profiles for MFA products that support RADIUS (e.g. RSA, Symantec, CA, Vasco, etc).
This lab will allow you to set up a Linux server to act as your AD-integrated OTP+RADIUS server. Then we'll configure CIS/CPS to act as a RADIUS client and support it as an additional MFA option.
Disclaimers
- This is a lab entry. Production designs require planning for people, process and technology.
- RSA SecurID, Symantec VIP, Vasco, YubiKey, Google Authenticator, FreeRADIUS and CentOS are registered trademarks of their respective owners.
Lab Design
The proposed lab looks as follows:
As you can see, we're using the following components:
- Identity Service or Privilege Service (can be the on-premises version of CPS too)
- Cloud connector: enabled for AD Bridging and RADIUS client
- Centos 6.x System: this system acts as
- RADIUS Server > FreeRADIUS configured for PAM
- Google Authenticator PAM Module > will provide OTP codes for enrolled users
- Centrify DirectControl > Provides AD integration and NSS/PAM based identification/authentication
- Active Directory: Provides infrastructure identity services (directory, authentication, policy)
In this lab we will not cover the setup of an identity service instance and cloud connector. Some resources:
- Getting Started with Centrify Identity Service (Microsite)
- Identity Service Support FAQ
- Centrify Support's YouTube Channel
- Identity Service Documentation
- A CentOS 6.x system configured in the same subnet as the Cloud Connector or with TCP 1812 connectivity.
- Working knowledge of Identity Service or Privilege Service
- Familiarity with Pluggable Authentication Modules (PAM)
- Basic DirectControl knowledge (install, join AD)
- An OATH OTP client (Google authenticator, Yubico authenticator, etc)
RADIUS+OTP Server Setup
Configuration Overview
- Adding the EPEL repo to be able to install Google Authenticator
- Install Google Authenticator
- Install FreeRADIUS and related tools
- Configure FreeRADIUS for PAM
- Install Centrify DirectControl and join Active Directory
- Enroll users for Google Authenticator OTP
- Test your configuration with the command line
- Configure Identity Service/Privilege Service as a RADIUS client
Adding the EPEL repo for Centos 6.x
$ wget https://dl.fedoraproject.org/pub/epel/epel-releaseInstalling Google Authenticator-latest-6.noarch.rpm $ sudo yum install epel-release-latest-6.noarch.rpm -y [truncated] Installed: epel-release.noarch 0:6-8
$ sudo yum install google-authenticator -y [truncated] Installed: google-authenticator.x86_64 0:0-0.3.20110830.hgd525a9bab875.el6Install FreeRADIUS and Tools
$ sudo yum install freeradius freeradius-utils -y [truncated] Installed: freeradius.x86_64 0:2.2.6-6.el6_7 freeradius-utils.x86_64 0:2.2.6-6.el6_7 Dependency Installed: perl-DBI.x86_64 0:1.609-4.el6Configuring FreeRADIUS for PAM
a) User and Group for the Radius Daemon
To allow the radiusd daemon to traverse the filesystem to read the Google Authenticator config files on each user's home directory, you have to change the user/group in the configuration file. This may be undesirable in a production environment.
Edit the /etc/raddb/radiusd.conf and find:
user = radiusd group = radiusdChange to
user = root group = rootand save the file.
b) Enable PAM for the Default Site
Edit the /etc/raddb/sites-enabled/default and find:
# Pluggable Authentication Modules. # pamuncomment the PAM module and save.
pamc) Configure Users for PAM
Edit the and find
#DEFAULT Group == "disabled", Auth-Type := Reject # Reply-Message = "Your account has been disabled."uncomment and add the line as follows:
DEFAULT Group == "disabled", Auth-Type := Reject
Reply-Message = "Your account has been disabled."
DEFAULT Auth-Type := PAM
Tip: To check your work so far- In one session window, run the radius daemon in verbose mode
$ sudo radiusd -X [truncated] Ready to process requests.
If there are any issues with the current configuration, you can verify it with the output. - Open another session and create a new user
$ sudo useradd testing $ sudo passwd testing New password: BAD PASSWORD: it is based on a dictionary word Retype new password: passwd: all authentication tokens updated successfully.
Now you have a user to test your RADIUS server via PAM. - In that same session, use the radtest utility with the client set for the localhost client.
radtest testing Mysecret123! localhost 0 testing123 Sending Access-Request of id 204 to 127.0.0.1 port 1812 User-Name = "testing" User-Password = "Secret123!" NAS-IP-Address = 192.168.81.34 NAS-Port = 0 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=204, length=20On the first window, you'll see the verbose output somewhat like this:
rad_recv: Access-Request packet from host 127.0.0.1 port 53367, id=204, length=77 User-Name = "testing" User-Password = "Mysecret123!" NAS-IP-Address = 192.168.81.34 NAS-Port = 0 Message-Authenticator = 0x8c11ad4b5c1dbd597764716d95d3d9e3 # Executing section authorize from file /etc/raddb/sites-enabled/default [truncated] Sending Access-Accept of id 204 to 127.0.0.1 port 53367This verifies that things are set up correctly so far. Cancel radiusd debug (CTRL+C)
Install Centrify DirectControl and Join AD
We'll use the Centrify Repo and join AD in Workstation mode.
$ sudo yum install CentrifyDC -y [truncated] Installed: CentrifyDC.x86_64 0:5.3.1-398 $ sudo adjoin -w -u [user.name] domain.name user.name@DOMAIN.NAME's password: Using domain controller: dc.centrify.vms writable=true Join to domain:centrify.vms, zone:Auto Zone successful Centrify DirectControl started.At this point, if you want another sanity check, you can repeat the same debugging but with an AD user credential.
Configure the Radius PAM directives for Google Authenticator
Edit the /etc/pam.d/radiusd perform two modifications.
Add this line on the top of the file auth required pam_google_authenticator.so and comment the auth module.
Here what we'll achieve is to provide the Google Authenticator code as our one-time password via RADIUS. Other combinations of PAM modules can achieve a Password+Code.
The final result should look like this:
#%PAM-1.0 auth required pam_google_authenticator.so #auth include password-auth account required pam_nologin.so account include password-auth password include password-auth session include password-authThis configuration challenges for the OTP code only and ignores the password.
Enroll an AD user with Google Authenticator
- Log in with a test AD user to your Linux system
- Run the google authenticator setup (google-authenticator)
Last login: Thu Aug 4 06:22:50 2016 from 192.168.81.11 $ google-authenticator https://www.google.com/[truncated] <= copy this URL and paste it on your browser Your new secret key is: ETIQLTKPBQV4TVLH Your verification code is 2647620 Your emergency scratch codes are: 08703664 [truncated]Follow the prompts until you complete setup. - Paste the URL in a web browser and use your Authenticator QR Capture function to capture the code.
Alternatively you can add the code manually. - Repeat this process for all your test users.
- In a session, open Radiusd in verbose mode. [sudo radiusd -X]
- In another browser, test the authentication with the code from the OATH OTP authenticator.
radtest [username] [oath otp code] localhost 0 [pharaphrase]
In my environment it looks like this:
Set up the Cloud Connector as a RADIUS Client
On the FreeRADIUS Server you have to set up the connector as a client.
- If you haven't done so, close the radiusd debugger.
- Edit the following file /etc/raddb/clients.conf go to the end and add:
client member2.centrify.vms { secret = [Insert Complex String Here] shortname = [Friendly Name] }Notes:
- You can use the IP address or FQDN of your RADIUS-enabled connector
- You must choose a decent complex string as your secret and save it for the next section. - Save the file.
Centrify Identity Service or Privilege Service Setup
Overview
- Configure the RADIUS Server
- Configure Connector for RADIUS
- Enable RADIUS in your Policy
- Enable 3rd Party RADIUS in your Authentication Profile(s)
- Verify Functionality
- Modify RADIUS service startup
To configure the RADIUS Server
Go to Cloud Manager > Settings > Authentication > Radius Connections > Servers Tab and press Add
Name: A descriptive name (e.g. SecurID PIN+Code)
Description: Optional
Server IP Address: The IP address of your server
Port: Change if not default (1812)
Server Secret: Must match the secret you set up in the previous step.
Configuring a Connector for RADIUS
You need at least one connector enabled for RADIUS that can reach the RADIUS server.
Go to Cloud Manager > Settings > Network > Cloud Connectors > [connector] > RADIUS > and Check
"Enable connections to external RADIUS servers"
Also make sure that the RADIUS Client service is enabled.
Enable RADIUS in your User Authentication Policy
Go to Cloud Manager > Policies > [click on the policy that applies to the user(s)] > Expand User Security Policies and Click RADIUS. Set "Allow 3rd Party RADIUS" to Yes and Save.
Enable 3rd Party RADIUS in any corresponding Authentication Profiles
Cloud Manager > Settings> Authentication Profiles > [click profile that you want to enable] and check
"3rd Party RADIUS Authentication" and press OK. Repeat with other profiles if needed.
Verify Functionality
- Launch radiusd in debug mode (sudo radiusd -X) on your Linux system.
- Trigger a Step-up protected event in CIS/CPS (private login, secure access, password checkout)
Monitor the debug log for any errors. If everything goes as expected, keep testing with other users.
Tidy-up: Set up the Radius Service for Automatic Startup
$ sudo chkconfig radiusd on $ sudo service radiusd start
Quick Video
No comments:
Post a Comment