FreeRADIUS Google Dual Factor Authenticator

[ThomasHabets]

From @ThomasHabets on October 10, 2014 8:7

Original issue 326 created by achintha85 on 2013-09-26T06:52:57.000Z:

Hi I've been following this article to setup FreeRADIUS Google Dual Factor Authenticator

http://www.supertechguy.com/help/security/freeradius-google-auth

Hours of testing I still can't get it to work. If my /etc/pam.d/radiusd looks like the following it works well with the following command

radtest test test localhost 18120 testing123

---

# /etc/pam.d/radiusd - PAM configuration for FreeRADIUS
#

# We fall back to the system default in /etc/pam.d/common-*
#

@include common-auth
@include common-account
@include common-password
@include common-session
--------------------------------------------------------

However if it looks like the following 

--------------------------------------------------------
#
# /etc/pam.d/radiusd - PAM configuration for FreeRADIUS
#

# We fall back to the system default in /etc/pam.d/common-*
#

#@include common-auth
#@include common-account
#@include common-password
#@include common-session

auth requisite pam_google_authenticator.so forward_pass
auth required pam_unix.so use_first_pass
--------------------------------------------------------

my log file says the following and auth fails.

--------------------------------------------------------
rad_recv: Access-Request packet from host 127.0.0.1 port 43185, id=111, length=56
        User-Name = "test"
        User-Password = "test"
        NAS-IP-Address = 127.0.1.1
        NAS-Port = 18120
Thu Sep 26 16:38:19 2013 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default
Thu Sep 26 16:38:19 2013 : Info: +- entering group authorize {...}
Thu Sep 26 16:38:19 2013 : Info: ++[preprocess] returns ok
Thu Sep 26 16:38:19 2013 : Info: ++[chap] returns noop
Thu Sep 26 16:38:19 2013 : Info: ++[mschap] returns noop
Thu Sep 26 16:38:19 2013 : Info: ++[digest] returns noop
Thu Sep 26 16:38:19 2013 : Info: [suffix] No '@' in User-Name = "test", looking up realm NULL
Thu Sep 26 16:38:19 2013 : Info: [suffix] No such realm "NULL"
Thu Sep 26 16:38:19 2013 : Info: ++[suffix] returns noop
Thu Sep 26 16:38:19 2013 : Info: [eap] No EAP-Message, not doing EAP
Thu Sep 26 16:38:19 2013 : Info: ++[eap] returns noop
Thu Sep 26 16:38:19 2013 : Info: [files] users: Matched entry DEFAULT at line 74
Thu Sep 26 16:38:19 2013 : Info: ++[files] returns ok
Thu Sep 26 16:38:19 2013 : Info: ++[expiration] returns noop
Thu Sep 26 16:38:19 2013 : Info: ++[logintime] returns noop
Thu Sep 26 16:38:19 2013 : Info: [pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
Thu Sep 26 16:38:19 2013 : Info: ++[pap] returns noop
Thu Sep 26 16:38:19 2013 : Info: Found Auth-Type = PAM
Thu Sep 26 16:38:19 2013 : Info: # Executing group from file /etc/freeradius/sites-enabled/default
Thu Sep 26 16:38:19 2013 : Info: +- entering group authenticate {...}
Thu Sep 26 16:38:19 2013 : Debug: pam_pass: using pamauth string <radiusd> for pam.conf lookup
Thu Sep 26 16:38:19 2013 : Debug: pam_pass: function pam_authenticate FAILED for <test>. Reason: Cannot make/remove an entry for the specified session
Thu Sep 26 16:38:19 2013 : Info: ++[pam] returns reject
Thu Sep 26 16:38:19 2013 : Info: Failed to authenticate the user.
Thu Sep 26 16:38:19 2013 : Info: Using Post-Auth-Type Reject
Thu Sep 26 16:38:19 2013 : Info: # Executing group from file /etc/freeradius/sites-enabled/default
Thu Sep 26 16:38:19 2013 : Info: +- entering group REJECT {...}
Thu Sep 26 16:38:19 2013 : Info: [attr_filter.access_reject]    expand: %{User-Name} -> test
Thu Sep 26 16:38:19 2013 : Debug:  attr_filter: Matched entry DEFAULT at line 11
Thu Sep 26 16:38:19 2013 : Info: ++[attr_filter.access_reject] returns updated
Thu Sep 26 16:38:19 2013 : Info: Delaying reject of request 0 for 1 seconds
Thu Sep 26 16:38:19 2013 : Debug: Going to the next request
Thu Sep 26 16:38:19 2013 : Debug: Waking up in 0.9 seconds.
Thu Sep 26 16:38:20 2013 : Info: Sending delayed reject for request 0
Sending Access-Reject of id 111 to 127.0.0.1 port 43185
Thu Sep 26 16:38:20 2013 : Debug: Waking up in 4.9 seconds.
Thu Sep 26 16:38:25 2013 : Info: Cleaning up request 0 ID 111 with timestamp +3
Thu Sep 26 16:38:25 2013 : Info: Ready to process requests.
--------------------------------------------------------

Can you please tell me what's the issue here?

I'm using Ubuntu latest

Copied from original issue: google/google-authenticator#325

[ThomasHabets]

From @tecman77 on March 6, 2015 19:32

I have similar problem with Freeradius and pam_google_authenticator module. I tried to deploy this on Redhat 6, 7, Fedora 21 without success. Time on server is configured correctly and I am able to log in with two-factor-auth via SSH on the very same server, however FreeRadius doesn't seem to work on these systems. The only system I am able to make it work is Ubuntu so far without any problems. I followed same setup guide as OP.

My pam_google_authenticator was compiled instead of installed from rpm but freeradius - from rpm. Redhat 7 comes with Freeradius 3.x by default, Ubuntu 2.1. I also compiled freeradius from sources on both systems, and that didn't make any difference. Ubuntu works, Centos/Redhat/Fedora - doesn't with FreeRadius, but SSHD works fine with dual factor authentication.

There is not enough debug options that I could use to troubleshoot it further myself.

[ThomasHabets]

From @pantsman0 on October 3, 2015 11:50

I have set this up on RHEL6&7 and CentOS6&7, and I've had it work using the steps in the guide above.

The problem seems to be this line:
Thu Sep 26 16:38:19 2013 : Debug: pam_pass: function pam_authenticate FAILED for <test>. Reason: Cannot make/remove an entry for the specified session

This happens to me when I forget to change the running user/group from radiusd to running as root. You need to run it as root, or move the secrets out of user home directories.

If you continue to have issues, comment here and I will respond when I can.