วันนี้มีโจทย์ในการทำ freeradius server เพื่อให้ authenticate กับ google-authenticator mobile app
ซึ่งสามารถนำไปต่อเข้ากับพวกระบบ horizon view ของ vmware หรือ พวกระบบ daas horizon ได้ครับผม
ผมใช้งานเป็น ubuntu server 16.04 (64bit) ลองไปดูกันเลยครับ
==== Start on your way ====
# apt-get install ntp
# apt-get install likewise-open
or
#wget
http://archive.ubuntu.com/ubuntu/pool/main/l/likewise-open/likewise-open_6.1.0.406-0ubuntu5_amd64.deb#dpkg -i likewise-open_6.1.0.406-0ubuntu5_amd64.deb
###Start likewise-open and start lsass module to get information and prepare to join ad server ###
/etc/init.d/lwsmd restart
/etc/init.d/likewise restart
lwsm start lsass
####query after lwsm start lsass
domainjoin-cli query \\query ad-server information
lw-get-status. \\show status of ad-server
lw-enum-users \\get user information on ad-server
lw-find-group-by-name domain\\GROUPNAME
###Change dns to AD server
vi cat /etc/resolv.conf
Join the server to the Active Directory domain, by typing the following command:
#domainjoin-cli join <your domain name> <account _ name>
#lwconfig AssumeDefaultDomain true
#init 6
####Google Authenticator setup
As Google Authenticator is delivered as source code and not binaries, additional packages need to be installed. Type the following command to installed required packages:
# apt-get install build-essential git libpam0g-dev libqrencode3
Type the following command to download Google Authenticator source code from Google
#apt-get install libpam-google-authenticator
#####RADIUS setup
Next step: installation of Radius component using freeradius, for this type:
# apt-get install freeradius
Once radius is installed, edit
/etc/freeradius/radiusd.conf and modify it to read
user = root (instead of user = freerad)
group = root (instead of user = freerad)
##add module and type of authentication with stack forward_pass : {password_ad}{token_key_on_app}
vi /etc/pam.d/radiusd
auth requisite pam_google_authenticator.so forward_pass
auth required pam_lsass.so use_first_pass
#vi /etc/freeradius/users
DEFAULT Group == "GG_S_GOOGLE_AUTH_DISABLED", Auth-Type := Reject
Reply-Message = "Your account has been disabled."
DEFAULT Auth-Type := PAM
###Added by golf to allow ad-server or vcs server connect
#vi /etc/freeradius/clients.conf
client vcs01.packetlove.local {
secret = secret
shortname = vcs01
}
Restart freeradius to activate new settings
# service freeradius restart
##need start command after reboot [done]
/etc/init.d/likewise restart
/etc/init.d/freeradius restart
/etc/init.d/lwsmd restart
lwsm start lsass. \\after run this command will query information from ad
####query after lwsm start lsass
domainjoin-cli query
lw-get-status
lw-enum-users
lw-find-group-by-name domain\\GROUPNAME
###Howto debug on lsassd //module connect ad
/usr/sbin/lsassd --loglevel debug --logfile /home/nttadm/lsassd.txt
###Howto debug on freeradius
vi /etc/raddb/sites-enabled/default
##open 2 log
auth_log
reply_log
/etc/init.d/freeradius restart
เท่านี้ก็เรียบร้อยครับ
Done
