-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathCisco-AnyConnect-通过FreeRADIUS集成域账号-谷歌双因素认证.html
898 lines (673 loc) · 135 KB
/
Cisco-AnyConnect-通过FreeRADIUS集成域账号-谷歌双因素认证.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
<!DOCTYPE html>
<html lang="zh-CN">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=2">
<meta name="theme-color" content="#222">
<meta name="generator" content="Hexo 4.0.0">
<link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png">
<link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png">
<link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png">
<link rel="mask-icon" href="/images/logo.svg" color="#222">
<meta http-equiv="Cache-Control" content="no-transform">
<meta http-equiv="Cache-Control" content="no-siteapp">
<meta name="baidu-site-verification" content="true">
<link rel="stylesheet" href="/css/main.css">
<link rel="stylesheet" href="//fonts.googleapis.com/css?family=Lato:300,300italic,400,400italic,700,700italic&display=swap&subset=latin,latin-ext">
<link rel="stylesheet" href="/lib/font-awesome/css/font-awesome.min.css">
<script id="hexo-configurations">
var NexT = window.NexT || {};
var CONFIG = {"hostname":"yoursite.com","root":"/","scheme":"Pisces","version":"7.7.2","exturl":false,"sidebar":{"position":"left","display":"post","padding":18,"offset":12,"onmobile":false},"copycode":{"enable":true,"show_result":true,"style":"default"},"back2top":{"enable":true,"sidebar":false,"scrollpercent":false},"bookmark":{"enable":false,"color":"#222","save":"auto"},"fancybox":false,"mediumzoom":false,"lazyload":false,"pangu":false,"comments":{"style":"tabs","active":null,"storage":true,"lazyload":false,"nav":null},"algolia":{"hits":{"per_page":10},"labels":{"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}},"localsearch":{"enable":true,"trigger":"auto","top_n_per_article":1,"unescape":false,"preload":false},"motion":{"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},"path":"search.xml"};
</script>
<meta name="description" content="实验目的:用户使用Cisco AnyConnect拨号时,输入AD账号密码和谷歌动态码后通过认证,获得授权。Cisco ASA指向FreeRADIUS做认证,FreeRADIUS联动AD和google_authenticator。">
<meta name="keywords" content="Cisco ASAv,AnyConnect,FreeRADIUS,Google Authenticator">
<meta property="og:type" content="article">
<meta property="og:title" content="Cisco AnyConnect 通过FreeRADIUS集成域账号+谷歌双因素认证">
<meta property="og:url" content="http://yoursite.com/Cisco-AnyConnect-%E9%80%9A%E8%BF%87FreeRADIUS%E9%9B%86%E6%88%90%E5%9F%9F%E8%B4%A6%E5%8F%B7-%E8%B0%B7%E6%AD%8C%E5%8F%8C%E5%9B%A0%E7%B4%A0%E8%AE%A4%E8%AF%81.html">
<meta property="og:site_name" content="Crosswalk Blog">
<meta property="og:description" content="实验目的:用户使用Cisco AnyConnect拨号时,输入AD账号密码和谷歌动态码后通过认证,获得授权。Cisco ASA指向FreeRADIUS做认证,FreeRADIUS联动AD和google_authenticator。">
<meta property="og:locale" content="zh-CN">
<meta property="og:image" content="http://yoursite.com/images/blog/cisco-ad-freeradius-mfa-centos8/%5BAnyConnect-freeradius-ad-mfa%5D-topo.png">
<meta property="og:image" content="http://yoursite.com/images/blog/cisco-ad-freeradius-mfa-centos8/%5BAnyConnect-freeradius-ad-mfa%5D-ad-01.png">
<meta property="og:image" content="http://yoursite.com/images/blog/cisco-ad-freeradius-mfa-centos8/%5BAnyConnect-freeradius-ad-mfa%5D-ad-02.png">
<meta property="og:image" content="http://yoursite.com/images/blog/cisco-ad-freeradius-mfa-centos8/%5BAnyConnect-freeradius-ad-mfa%5D-ad-03.png">
<meta property="og:image" content="http://yoursite.com/images/blog/cisco-ad-freeradius-mfa-centos8/%5BAnyConnect-freeradius-ad-mfa%5D-ad-04.png">
<meta property="og:image" content="http://yoursite.com/images/blog/cisco-ad-freeradius-mfa-centos8/%5BAnyConnect-freeradius-ad-mfa%5D-ad-05.png">
<meta property="og:image" content="http://yoursite.com/images/blog/cisco-ad-freeradius-mfa-centos8/%5BAnyConnect-freeradius-ad-mfa%5D-asdm-01.png">
<meta property="og:image" content="http://yoursite.com/images/blog/cisco-ad-freeradius-mfa-centos8/%5BAnyConnect-freeradius-ad-mfa%5D-asdm-02.png">
<meta property="og:image" content="http://yoursite.com/images/blog/cisco-ad-freeradius-mfa-centos8/%5BAnyConnect-freeradius-ad-mfa%5D-asdm-03.png">
<meta property="og:image" content="http://yoursite.com/images/blog/cisco-ad-freeradius-mfa-centos8/%5BAnyConnect-freeradius-ad-mfa%5D-asdm-04.png">
<meta property="og:image" content="http://yoursite.com/images/blog/cisco-ad-freeradius-mfa-centos8/%5BAnyConnect-freeradius-ad-mfa%5D-rdp-01.png">
<meta property="og:image" content="http://yoursite.com/images/blog/cisco-ad-freeradius-mfa-centos8/%5BAnyConnect-freeradius-ad-mfa%5D-rdp-02.png">
<meta property="og:image" content="http://yoursite.com/images/blog/cisco-ad-freeradius-mfa-centos8/%5BAnyConnect-freeradius-ad-mfa%5D-login-01.png">
<meta property="og:image" content="http://yoursite.com/images/blog/cisco-ad-freeradius-mfa-centos8/%5BAnyConnect-freeradius-ad-mfa%5D-login-02.png">
<meta property="og:image" content="http://yoursite.com/images/blog/cisco-ad-freeradius-mfa-centos8/%5BAnyConnect-freeradius-ad-mfa%5D-login-03.png">
<meta property="og:image" content="http://yoursite.com/images/blog/cisco-ad-freeradius-mfa-centos8/%5BAnyConnect-freeradius-ad-mfa%5D-login-01.png">
<meta property="og:image" content="http://yoursite.com/images/blog/cisco-ad-freeradius-mfa-centos8/%5BAnyConnect-freeradius-ad-mfa%5D-login-ad.png">
<meta property="og:image" content="http://yoursite.com/images/blog/cisco-ad-freeradius-mfa-centos8/%5BAnyConnect-freeradius-ad-mfa%5D-login-03.png">
<meta property="og:image" content="http://yoursite.com/images/blog/cisco-ad-freeradius-mfa-centos8/%5BAnyConnect-freeradius-ad-mfa%5D-code.png">
<meta property="og:updated_time" content="2020-05-15T07:26:14.690Z">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="http://yoursite.com/images/blog/cisco-ad-freeradius-mfa-centos8/%5BAnyConnect-freeradius-ad-mfa%5D-topo.png">
<link rel="canonical" href="http://yoursite.com/Cisco-AnyConnect-%E9%80%9A%E8%BF%87FreeRADIUS%E9%9B%86%E6%88%90%E5%9F%9F%E8%B4%A6%E5%8F%B7-%E8%B0%B7%E6%AD%8C%E5%8F%8C%E5%9B%A0%E7%B4%A0%E8%AE%A4%E8%AF%81.html">
<script id="page-configurations">
// https://hexo.io/docs/variables.html
CONFIG.page = {
sidebar: "",
isHome : false,
isPost : true
};
</script>
<title>Cisco AnyConnect 通过FreeRADIUS集成域账号+谷歌双因素认证 | Crosswalk Blog</title>
<noscript>
<style>
.use-motion .brand,
.use-motion .menu-item,
.sidebar-inner,
.use-motion .post-block,
.use-motion .pagination,
.use-motion .comments,
.use-motion .post-header,
.use-motion .post-body,
.use-motion .collection-header { opacity: initial; }
.use-motion .site-title,
.use-motion .site-subtitle {
opacity: initial;
top: initial;
}
.use-motion .logo-line-before i { left: initial; }
.use-motion .logo-line-after i { right: initial; }
</style>
</noscript>
</head>
<body itemscope itemtype="http://schema.org/WebPage">
<div class="container use-motion">
<div class="headband"></div>
<header class="header" itemscope itemtype="http://schema.org/WPHeader">
<div class="header-inner"><div class="site-brand-container">
<div class="site-nav-toggle">
<div class="toggle" aria-label="切换导航栏">
<span class="toggle-line toggle-line-first"></span>
<span class="toggle-line toggle-line-middle"></span>
<span class="toggle-line toggle-line-last"></span>
</div>
</div>
<div class="site-meta">
<div>
<a href="/" class="brand" rel="start">
<span class="logo-line-before"><i></i></span>
<span class="site-title">Crosswalk Blog</span>
<span class="logo-line-after"><i></i></span>
</a>
</div>
</div>
<div class="site-nav-right">
<div class="toggle popup-trigger">
<i class="fa fa-search fa-fw fa-lg"></i>
</div>
</div>
</div>
<nav class="site-nav">
<ul id="menu" class="menu">
<li class="menu-item menu-item-home">
<a href="/" rel="section"><i class="fa fa-fw fa-home"></i>首页</a>
</li>
<li class="menu-item menu-item-tags">
<a href="/tags/" rel="section"><i class="fa fa-fw fa-tags"></i>标签</a>
</li>
<li class="menu-item menu-item-categories">
<a href="/categories/" rel="section"><i class="fa fa-fw fa-th"></i>分类</a>
</li>
<li class="menu-item menu-item-archives">
<a href="/archives/" rel="section"><i class="fa fa-fw fa-archive"></i>归档</a>
</li>
<li class="menu-item menu-item-search">
<a role="button" class="popup-trigger"><i class="fa fa-search fa-fw"></i>搜索
</a>
</li>
</ul>
</nav>
<div class="site-search">
<div class="popup search-popup">
<div class="search-header">
<span class="search-icon">
<i class="fa fa-search"></i>
</span>
<div class="search-input-container">
<input autocomplete="off" autocorrect="off" autocapitalize="off"
placeholder="搜索..." spellcheck="false"
type="search" class="search-input">
</div>
<span class="popup-btn-close">
<i class="fa fa-times-circle"></i>
</span>
</div>
<div id="search-result"></div>
</div>
<div class="search-pop-overlay"></div>
</div>
</div>
</header>
<div class="back-to-top">
<i class="fa fa-arrow-up"></i>
<span>0%</span>
</div>
<main class="main">
<div class="main-inner">
<div class="content-wrap">
<div class="content">
<div class="posts-expand">
<article itemscope itemtype="http://schema.org/Article" class="post-block " lang="zh-CN">
<link itemprop="mainEntityOfPage" href="http://yoursite.com/Cisco-AnyConnect-%E9%80%9A%E8%BF%87FreeRADIUS%E9%9B%86%E6%88%90%E5%9F%9F%E8%B4%A6%E5%8F%B7-%E8%B0%B7%E6%AD%8C%E5%8F%8C%E5%9B%A0%E7%B4%A0%E8%AE%A4%E8%AF%81.html">
<span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
<meta itemprop="image" content="/images/me.jpg">
<meta itemprop="name" content="Liu Qianglong">
<meta itemprop="description" content="">
</span>
<span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
<meta itemprop="name" content="Crosswalk Blog">
</span>
<header class="post-header">
<h2 class="post-title" itemprop="name headline">
Cisco AnyConnect 通过FreeRADIUS集成域账号+谷歌双因素认证
</h2>
<div class="post-meta">
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="fa fa-calendar-o"></i>
</span>
<span class="post-meta-item-text">发表于</span>
<time title="创建时间:2020-03-06 20:28:51" itemprop="dateCreated datePublished" datetime="2020-03-06T20:28:51+08:00">2020-03-06</time>
</span>
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="fa fa-calendar-check-o"></i>
</span>
<span class="post-meta-item-text">更新于</span>
<time title="修改时间:2020-05-15 15:26:14" itemprop="dateModified" datetime="2020-05-15T15:26:14+08:00">2020-05-15</time>
</span>
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="fa fa-folder-o"></i>
</span>
<span class="post-meta-item-text">分类于</span>
<span itemprop="about" itemscope itemtype="http://schema.org/Thing">
<a href="/categories/Cisco-VPN/" itemprop="url" rel="index"><span itemprop="name">Cisco VPN</span></a>
</span>
</span>
<span class="post-meta-item" title="阅读次数" id="busuanzi_container_page_pv" style="display: none;">
<span class="post-meta-item-icon">
<i class="fa fa-eye"></i>
</span>
<span class="post-meta-item-text">阅读次数:</span>
<span id="busuanzi_value_page_pv"></span>
</span>
<span class="post-meta-item">
<span class="post-meta-item-icon">
<i class="fa fa-comment-o"></i>
</span>
<span class="post-meta-item-text">Valine:</span>
<a title="valine" href="/Cisco-AnyConnect-%E9%80%9A%E8%BF%87FreeRADIUS%E9%9B%86%E6%88%90%E5%9F%9F%E8%B4%A6%E5%8F%B7-%E8%B0%B7%E6%AD%8C%E5%8F%8C%E5%9B%A0%E7%B4%A0%E8%AE%A4%E8%AF%81.html#valine-comments" itemprop="discussionUrl">
<span class="post-comments-count valine-comment-count" data-xid="/Cisco-AnyConnect-%E9%80%9A%E8%BF%87FreeRADIUS%E9%9B%86%E6%88%90%E5%9F%9F%E8%B4%A6%E5%8F%B7-%E8%B0%B7%E6%AD%8C%E5%8F%8C%E5%9B%A0%E7%B4%A0%E8%AE%A4%E8%AF%81.html" itemprop="commentCount"></span>
</a>
</span>
</div>
</header>
<div class="post-body" itemprop="articleBody">
<blockquote>
<p>实验目的:用户使用Cisco AnyConnect拨号时,输入AD账号密码和谷歌动态码后通过认证,获得授权。Cisco ASA指向FreeRADIUS做认证,FreeRADIUS联动AD和google_authenticator。</p>
</blockquote>
<h2 id="一、环境介绍"><a href="#一、环境介绍" class="headerlink" title="一、环境介绍"></a>一、环境介绍</h2><ul>
<li>拓扑图</li>
</ul>
<p><img src="../images/blog/cisco-ad-freeradius-mfa-centos8/%5BAnyConnect-freeradius-ad-mfa%5D-topo.png" alt="[AnyConnect-freeradius-ad-mfa]topo"></p>
<ul>
<li>实验环境CentOS8有两块网卡,一块网卡用于访问Internet,一块网卡位于防火墙inside区域。</li>
<li>这里使用CentOS8(CentOS7也可以)安装FreeRADIUS和Google Authenticator。Windows Server 2016安装AD服务,AD安装过程这里不做介绍。需要用户在手机上安装Google-Authenticator APP。</li>
<li>用户使用AnyConnect拨号,输入用户名和密码,密码框输入<strong>密码+动态码</strong>,实现<strong>AD账号+动态码</strong>双因素认证。</li>
</ul>
<h2 id="二、CentOS8-环境设置"><a href="#二、CentOS8-环境设置" class="headerlink" title="二、CentOS8 环境设置"></a>二、CentOS8 环境设置</h2><ul>
<li>系统更新<br><code>[root@centos8 ~]# yum update</code></li>
</ul>
<ul>
<li>修改时区<br><code>[root@centos8 /]# ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime</code></li>
</ul>
<ul>
<li>查看时间是否正确<br><code>[root@centos8 /]#ll /etc/localtime</code></li>
</ul>
<ul>
<li>关闭SElinux,临时关闭和永久关闭。<br><code>[root@centos8 ~]# setenforce 0</code><br><code>[root@centos8 ~]# sed -i 's/=enforcing/=permissive/g' /etc/selinux/config</code></li>
</ul>
<ul>
<li>查看SElinux状态。<br><code>[root@centos8 ~]# getenforce</code><br><code>Permissive</code></li>
</ul>
<ul>
<li>关闭防火墙(可选),本次实验未关闭防火墙。<br><code>[root@centos8 ~]# systemctl stop firewalld.service</code><br><code>[root@centos8 ~]# systemctl disable firewalld.service</code></li>
</ul>
<hr>
<h2 id="三、FreeRADIUS-安装及配置"><a href="#三、FreeRADIUS-安装及配置" class="headerlink" title="三、FreeRADIUS 安装及配置"></a>三、FreeRADIUS 安装及配置</h2><h3 id="3-1-FreeRADIUS安装"><a href="#3-1-FreeRADIUS安装" class="headerlink" title="3.1 FreeRADIUS安装"></a>3.1 FreeRADIUS安装</h3><ul>
<li>安装FreeRADIUS<br><code>[root@centos8 ~]# yum install freeradius freeradius-utils</code></li>
</ul>
<ul>
<li>启动radius服务<br><code>[root@centos8 ~]# systemctl enable --now radiusd.service</code></li>
</ul>
<ul>
<li>防火墙放行radius<br><code>[root@centos8 ~]# firewall-cmd --add-service=radius --permanent</code><br><code>[root@centos8 ~]# firewall-cmd --reload</code></li>
</ul>
<h3 id="3-2-FreeRADIUS修改配置文件"><a href="#3-2-FreeRADIUS修改配置文件" class="headerlink" title="3.2 FreeRADIUS修改配置文件"></a>3.2 FreeRADIUS修改配置文件</h3><ul>
<li>由于FreeRadius必须有权访问所有用户目录中的.google_authenticator令牌,因此它必须具有root权限。<figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">[root@centos8 ~]# vi /etc/raddb/radiusd.conf</span><br><span class="line"></span><br><span class="line"> #user = radiusd</span><br><span class="line"> #group = radiusd</span><br><span class="line"> <span class="built_in"> user </span>= root</span><br><span class="line"> <span class="built_in"> group </span>= root</span><br></pre></td></tr></table></figure>
</li>
</ul>
<ul>
<li>取消<code>pam</code>的注释,radius激活PAM(Pluggable Authentication Modules)可动态加载验证模块。<figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">[root@centos8 ~]# vi /etc/raddb/sites-enabled/default</span><br><span class="line"></span><br><span class="line"> pam</span><br></pre></td></tr></table></figure>
</li>
</ul>
<ul>
<li>激活pam,radius pam模块默认没有激活。<br><code>[root@centos8 ~]# ln -s /etc/raddb/mods-available/pam /etc/raddb/mods-enabled/pam</code></li>
</ul>
<ul>
<li>编辑<code>/etc/raddb/clients.conf</code>配置文件,接受来Cisco ASAv的radius认证请求。在行末添加防火墙的与共享密钥和ip地址。<figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">[root@centos8 ~]# vi /etc/raddb/clients.conf</span><br><span class="line"></span><br><span class="line">client 192.168.1.254 {</span><br><span class="line"><span class="built_in"> secret </span>= cisco</span><br><span class="line"> shortname = CiscoASA</span><br><span class="line"> nastype = cisco</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
</li>
</ul>
<h3 id="3-3-FreeRADIUS-服务测试"><a href="#3-3-FreeRADIUS-服务测试" class="headerlink" title="3.3 FreeRADIUS 服务测试"></a>3.3 FreeRADIUS 服务测试</h3><ul>
<li>新建用户组,如果你需要拒绝用户访问,可以将用户加入到这个组。<br><code>[root@centos8 ~]# groupadd radius-disabled</code></li>
</ul>
<ul>
<li>编辑<code>/etc/raddb/users</code>将创建的“radius-disabled”组添加到“拒绝用户组”部分。<figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">[root@centos8 ~]# vi /etc/raddb/users</span><br><span class="line"></span><br><span class="line"><span class="comment">#DEFAULT Group == "disabled", Auth-Type := Reject</span></span><br><span class="line"><span class="comment"># Reply-Message = "Your account has been disabled."</span></span><br><span class="line"></span><br><span class="line">DEFAULT <span class="built_in"> Group </span>== <span class="string">"radius-disabled"</span>, Auth-Type := Reject</span><br><span class="line"> Reply-Message = <span class="string">"Your account has been disabled."</span></span><br><span class="line">DEFAULT Auth-Type := PAM</span><br></pre></td></tr></table></figure>
</li>
</ul>
<ul>
<li>CentOS新建本地账号测试radius服务。<figure class="highlight autoit"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">[root<span class="symbol">@centos8</span> ~]<span class="meta"># useradd radlocal</span></span><br><span class="line">[root<span class="symbol">@centos8</span> ~]<span class="meta"># passwd radlocal</span></span><br><span class="line">更改用户 radlocal 的密码 。</span><br><span class="line">新的 密码:radpassword</span><br><span class="line">重新输入新的 密码:radpassword</span><br><span class="line">passwd:所有的身份验证令牌已经成功更新。</span><br></pre></td></tr></table></figure>
</li>
</ul>
<ul>
<li>radius 开启调式模式,这个命令非常有用,如果认证不成功,可以根据报错信息定位到错误发生的原因。<br><code>[root@centos8 ~]# radiusd -X</code></li>
</ul>
<ul>
<li>新建一个窗口,测试本地账号radius验证是否通过,注意<code>Received Access-Accept</code>表示认证通过。<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">[root@centos8 ~]# radtest radlocal radpassword localhost 18120 testing123</span><br><span class="line">Sent Access-Request Id 9 from 0.0.0.0:41546 to 127.0.0.1:1812 length 78</span><br><span class="line"> User-Name = "radlocal"</span><br><span class="line"> User-Password = "radpassword"</span><br><span class="line"> NAS-IP-Address = 172.20.29.110</span><br><span class="line"> NAS-Port = 18120</span><br><span class="line"> Message-Authenticator = 0x00</span><br><span class="line"> Cleartext-Password = "radpassword"</span><br><span class="line">Received Access-Accept Id 9 from 127.0.0.1:1812 to 127.0.0.1:41546 length 20</span><br></pre></td></tr></table></figure>
</li>
</ul>
<ul>
<li>开启<code>radius -X</code>窗口显示的输出作为参考。<figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br></pre></td><td class="code"><pre><span class="line">Listening on auth<span class="built_in"> address </span>127.0.0.1<span class="built_in"> port </span>18120 bound <span class="keyword">to</span><span class="built_in"> server </span>inner-tunnel</span><br><span class="line">Listening on<span class="built_in"> proxy address </span>*<span class="built_in"> port </span>43164</span><br><span class="line">Listening on<span class="built_in"> proxy address </span>::<span class="built_in"> port </span>40551</span><br><span class="line">Ready <span class="keyword">to</span> process requests</span><br><span class="line">(0) Received Access-Request Id 9 <span class="keyword">from</span> 127.0.0.1:41546 <span class="keyword">to</span> 127.0.0.1:1812 length 78</span><br><span class="line">(0) User-Name = <span class="string">"radlocal"</span></span><br><span class="line">(0) User-Password = <span class="string">"radpassword"</span></span><br><span class="line">(0) NAS-IP-Address = 172.20.29.110</span><br><span class="line">(0) NAS-Port = 18120</span><br><span class="line">(0) Message-Authenticator = 0xeba37c10c860860bd3dcc7bff2c5edf0</span><br><span class="line">(0) # Executing section authorize <span class="keyword">from</span> file /etc/raddb/sites-enabled/default</span><br><span class="line">(0) authorize {</span><br><span class="line">(0) <span class="built_in"> policy </span>filter_username {</span><br><span class="line">(0) <span class="keyword">if</span> (&User-Name) {</span><br><span class="line">(0) <span class="keyword">if</span> (&User-Name) -> <span class="literal">TRUE</span></span><br><span class="line">(0) <span class="keyword">if</span> (&User-Name) {</span><br><span class="line">(0) <span class="keyword">if</span> (&User-Name =~ / /) {</span><br><span class="line">(0) <span class="keyword">if</span> (&User-Name =~ / /) -> <span class="literal">FALSE</span></span><br><span class="line">(0) <span class="keyword">if</span> (&User-Name =~ /@[^@]*@/ ) {</span><br><span class="line">(0) <span class="keyword">if</span> (&User-Name =~ /@[^@]*@/ ) -> <span class="literal">FALSE</span></span><br><span class="line">(0) <span class="keyword">if</span> (&User-Name =~ /\.\./ ) {</span><br><span class="line">(0) <span class="keyword">if</span> (&User-Name =~ /\.\./ ) -> <span class="literal">FALSE</span></span><br><span class="line">(0) <span class="keyword">if</span> ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {</span><br><span class="line">(0) <span class="keyword">if</span> ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> <span class="literal">FALSE</span></span><br><span class="line">(0) <span class="keyword">if</span> (&User-Name =~ /\.$/) {</span><br><span class="line">(0) <span class="keyword">if</span> (&User-Name =~ /\.$/) -> <span class="literal">FALSE</span></span><br><span class="line">(0) <span class="keyword">if</span> (&User-Name =~ /@\./) {</span><br><span class="line">(0) <span class="keyword">if</span> (&User-Name =~ /@\./) -> <span class="literal">FALSE</span></span><br><span class="line">(0) } # <span class="keyword">if</span> (&User-Name) = notfound</span><br><span class="line">(0) } #<span class="built_in"> policy </span>filter_username = notfound</span><br><span class="line">(0) [preprocess] = ok</span><br><span class="line">(0) [chap] = noop</span><br><span class="line">(0) [mschap] = noop</span><br><span class="line">(0) [digest] = noop</span><br><span class="line">(0) suffix: Checking <span class="keyword">for</span> suffix after <span class="string">"@"</span></span><br><span class="line">(0) suffix: <span class="literal">No</span> <span class="string">'@'</span> <span class="keyword">in</span> User-Name = <span class="string">"radlocal"</span>, looking up realm <span class="literal">NULL</span></span><br><span class="line">(0) suffix: <span class="literal">No</span> such realm <span class="string">"NULL"</span></span><br><span class="line">(0) [suffix] = noop</span><br><span class="line">(0) eap: <span class="literal">No</span> EAP-Message, <span class="keyword">not</span> doing EAP</span><br><span class="line">(0) [eap] = noop</span><br><span class="line">(0) files: users: Matched entry<span class="built_in"> DEFAULT </span>at line 69</span><br><span class="line">(0) [files] = ok</span><br><span class="line">(0) [expiration] = noop</span><br><span class="line">(0) [logintime] = noop</span><br><span class="line">(0) pap: WARNING: <span class="literal">No</span> <span class="string">"known good"</span> password found <span class="keyword">for</span> the user. <span class="keyword">Not</span> setting Auth-Type</span><br><span class="line">(0) pap: WARNING: Authentication will fail unless a <span class="string">"known good"</span> password is available</span><br><span class="line">(0) [pap] = noop</span><br><span class="line">(0) } # authorize = ok</span><br><span class="line">(0) Found Auth-Type = pam</span><br><span class="line">(0) # Executing<span class="built_in"> group </span><span class="keyword">from</span> file /etc/raddb/sites-enabled/default</span><br><span class="line">(0) authenticate {</span><br><span class="line">(0) pam: Using pamauth string <span class="string">"radiusd"</span> <span class="keyword">for</span> pam.conf lookup</span><br><span class="line">(0) pam: Authentication succeeded</span><br><span class="line">(0) [pam] = ok</span><br><span class="line">(0) } # authenticate = ok</span><br><span class="line">(0) # Executing section post-auth <span class="keyword">from</span> file /etc/raddb/sites-enabled/default</span><br><span class="line">(0) post-auth {</span><br><span class="line">(0) update {</span><br><span class="line">(0) <span class="literal">No</span> attributes updated</span><br><span class="line">(0) } # update = noop</span><br><span class="line">(0) [exec] = noop</span><br><span class="line">(0) <span class="built_in"> policy </span>remove_reply_message_if_eap {</span><br><span class="line">(0) <span class="keyword">if</span> (&reply:EAP-Message && &reply:Reply-Message) {</span><br><span class="line">(0) <span class="keyword">if</span> (&reply:EAP-Message && &reply:Reply-Message) -> <span class="literal">FALSE</span></span><br><span class="line">(0) <span class="keyword">else</span> {</span><br><span class="line">(0) [noop] = noop</span><br><span class="line">(0) } # <span class="keyword">else</span> = noop</span><br><span class="line">(0) } #<span class="built_in"> policy </span>remove_reply_message_if_eap = noop</span><br><span class="line">(0) } # post-auth = noop</span><br><span class="line">(0) Sent Access-Accept Id 9 <span class="keyword">from</span> 127.0.0.1:1812 <span class="keyword">to</span> 127.0.0.1:41546 length 0</span><br><span class="line">(0) Finished request</span><br><span class="line">Waking up <span class="keyword">in</span> 4.9 seconds.</span><br><span class="line">(0) Cleaning up request packet ID 9 with +50</span><br><span class="line">Ready <span class="keyword">to</span> process requests</span><br></pre></td></tr></table></figure>
</li>
</ul>
<hr>
<h2 id="四、SSSD安装配置"><a href="#四、SSSD安装配置" class="headerlink" title="四、SSSD安装配置"></a>四、SSSD安装配置</h2><ul>
<li>AD已经安装和配置完成,下面是AD的一些配置信息。创建python.com域,DNS能解析公网地址,防止CentOS DNS指向AD之后无法yum安装软件。</li>
</ul>
<p><img src="../images/blog/cisco-ad-freeradius-mfa-centos8/%5BAnyConnect-freeradius-ad-mfa%5D-ad-01.png" alt="[AnyConnect-freeradius-ad-mfa]ad-01.png"></p>
<ul>
<li>创建mfatest的A记录,CentOS做测试解析用途。</li>
</ul>
<p><img src="../images/blog/cisco-ad-freeradius-mfa-centos8/%5BAnyConnect-freeradius-ad-mfa%5D-ad-02.png" alt="[AnyConnect-freeradius-ad-mfa]ad-02.png"></p>
<ul>
<li>安装SSSD,CentOS8已经内建。<br><code>[root@centos8 ~]# yum install sssd realmd adcli</code><br><code>[root@centos8 ~]# yum install oddjob oddjob-mkhomedir sssd samba-commontools</code></li>
</ul>
<ul>
<li>修改DNS,指向AD的IP地址。<figure class="highlight angelscript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">[<span class="symbol">root@</span>centos8 ~]# vi /etc/resolv.conf</span><br><span class="line">nameserver <span class="number">192.168</span><span class="number">.1</span><span class="number">.20</span></span><br></pre></td></tr></table></figure>
</li>
</ul>
<ul>
<li>DNS连通性测试<figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">[root@centos8 ~]#<span class="built_in"> ping </span>python.com</span><br><span class="line">PING python.com (192.168.1.20) 56(84) bytes of data.</span><br><span class="line">64 bytes <span class="keyword">from</span> 192.168.1.20 (192.168.1.20): <span class="attribute">icmp_seq</span>=1 <span class="attribute">ttl</span>=128 <span class="attribute">time</span>=0.205 ms</span><br></pre></td></tr></table></figure>
</li>
</ul>
<ul>
<li>DNS解析测试<figure class="highlight css"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line"><span class="selector-attr">[root@centos8 ~]</span># <span class="selector-tag">nslookup</span></span><br><span class="line">> <span class="selector-tag">mfatest</span><span class="selector-class">.python</span><span class="selector-class">.com</span></span><br><span class="line"><span class="selector-tag">Server</span>: 192<span class="selector-class">.168</span><span class="selector-class">.1</span><span class="selector-class">.20</span></span><br><span class="line"><span class="selector-tag">Address</span>: 192<span class="selector-class">.168</span><span class="selector-class">.1</span><span class="selector-class">.20</span><span class="selector-id">#53</span></span><br><span class="line"></span><br><span class="line"><span class="selector-tag">Name</span>: <span class="selector-tag">mfatest</span><span class="selector-class">.python</span><span class="selector-class">.com</span></span><br><span class="line"><span class="selector-tag">Address</span>: 1<span class="selector-class">.1</span><span class="selector-class">.1</span><span class="selector-class">.1</span></span><br></pre></td></tr></table></figure>
</li>
</ul>
<ul>
<li>CentOS加入python.com域,输入管理员密码。<figure class="highlight vim"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">[root@centos8 ~]# realm <span class="keyword">join</span> <span class="keyword">python</span>.<span class="keyword">com</span></span><br><span class="line">Administrator 的密码:</span><br></pre></td></tr></table></figure>
</li>
</ul>
<ul>
<li>可以发现域信息。<figure class="highlight yaml"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line"><span class="string">[root@centos8</span> <span class="string">~]#</span> <span class="string">realm</span> <span class="string">list</span></span><br><span class="line"><span class="string">python.com</span></span><br><span class="line"> <span class="attr">type:</span> <span class="string">kerberos</span></span><br><span class="line"> <span class="attr">realm-name:</span> <span class="string">PYTHON.COM</span></span><br><span class="line"> <span class="attr">domain-name:</span> <span class="string">python.com</span></span><br><span class="line"> <span class="attr">configured:</span> <span class="string">kerberos-member</span></span><br><span class="line"> <span class="attr">server-software:</span> <span class="string">active-directory</span></span><br><span class="line"> <span class="attr">client-software:</span> <span class="string">sssd</span></span><br><span class="line"> <span class="attr">required-package:</span> <span class="string">oddjob</span></span><br><span class="line"> <span class="attr">required-package:</span> <span class="string">oddjob-mkhomedir</span></span><br><span class="line"> <span class="attr">required-package:</span> <span class="string">sssd</span></span><br><span class="line"> <span class="attr">required-package:</span> <span class="string">adcli</span></span><br><span class="line"> <span class="attr">required-package:</span> <span class="string">samba-common-tools</span></span><br><span class="line"> <span class="attr">login-formats:</span> <span class="string">%[email protected]</span></span><br><span class="line"> <span class="attr">login-policy:</span> <span class="string">allow-permitted-logins</span></span><br><span class="line"> <span class="attr">permitted-logins:</span></span><br><span class="line"> <span class="attr">permitted-groups:</span> <span class="string">vpnusers</span></span><br></pre></td></tr></table></figure>
</li>
</ul>
<ul>
<li>AD查看CentOS8加入成功。</li>
</ul>
<p><img src="../images/blog/cisco-ad-freeradius-mfa-centos8/%5BAnyConnect-freeradius-ad-mfa%5D-ad-03.png" alt="[AnyConnect-freeradius-ad-mfa]ad-03.png"></p>
<ul>
<li>AD上创建测试用户wintest</li>
</ul>
<p><img src="../images/blog/cisco-ad-freeradius-mfa-centos8/%5BAnyConnect-freeradius-ad-mfa%5D-ad-04.png" alt="[AnyConnect-freeradius-ad-mfa]ad-04.png"></p>
<ul>
<li>在CentOS上使用AD的用户名密码登录测试。<figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">[root@centos8 ~]# ssh -l [email protected] localhost</span><br><span class="line">The authenticity of host <span class="string">'localhost (::1)'</span> can<span class="string">'t be established.</span></span><br><span class="line"><span class="string">ECDSA key fingerprint is SHA256:JNzSM2I5llmwVPjZAmZa0n1TS9dAZJYTgB2Odpq5IWA.</span></span><br><span class="line"><span class="string">Are you sure you want to continue connecting (yes/no/[fingerprint])? yes</span></span><br><span class="line"><span class="string">Warning: Permanently added '</span>localhost<span class="string">' (ECDSA) to the list of known hosts.</span></span><br><span class="line"><span class="string">[email protected]@localhost'</span>s password:</span><br><span class="line">Activate the web<span class="built_in"> console </span>with: systemctl <span class="builtin-name">enable</span> --now cockpit.socket</span><br><span class="line"></span><br><span class="line">[[email protected]@centos8 ~]$ exit</span><br><span class="line">注销</span><br></pre></td></tr></table></figure>
</li>
</ul>
<ul>
<li>AD创建vpnusers组,创建vpnuser用户</li>
</ul>
<p><img src="../images/blog/cisco-ad-freeradius-mfa-centos8/%5BAnyConnect-freeradius-ad-mfa%5D-ad-05.png" alt="[AnyConnect-freeradius-ad-mfa]ad-05.png"></p>
<ul>
<li>CentOS放行允许<code>vpnusers</code>这个组的用户在这台机器上认证。这条命令允许所有域账号认证:<code>realm permit -all</code>。这里放行的认证,不只放行了radius,还放行了ssh的认证,生产环境应该禁止这个组用户登<br>录ssh。<br><code>[root@centos8 ~]# realm permit -g vpnusers</code></li>
</ul>
<ul>
<li>开启radius调试模式<br><code>[root@centos8 ~]#radius -X</code></li>
</ul>
<ul>
<li><p>在新的窗口,使用AD账号测试radius认证,认证通过。</p>
<figure class="highlight angelscript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">[<span class="symbol">root@</span>centos8 ~]# radtest <span class="symbol">vpnuser@</span>python.com Cisc0123 localhost <span class="number">18120</span> testing123</span><br><span class="line">Sent Access-Request Id <span class="number">16</span> <span class="keyword">from</span> <span class="number">0.0</span><span class="number">.0</span><span class="number">.0</span>:<span class="number">38424</span> to <span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span>:<span class="number">1812</span> length <span class="number">88</span></span><br><span class="line"> User-Name = <span class="string">"[email protected]"</span></span><br><span class="line"> User-Password = <span class="string">"Cisc0123"</span></span><br><span class="line"> NAS-IP-Address = <span class="number">172.20</span><span class="number">.29</span><span class="number">.110</span></span><br><span class="line"> NAS-Port = <span class="number">18120</span></span><br><span class="line"> Message-Authenticator = <span class="number">0x00</span></span><br><span class="line"> Cleartext-Password = <span class="string">"Cisc0123"</span></span><br><span class="line">Received Access-Accept Id <span class="number">16</span> <span class="keyword">from</span> <span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span>:<span class="number">1812</span> to <span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span>:<span class="number">38424</span> length <span class="number">20</span></span><br></pre></td></tr></table></figure>
</li>
<li><p>radius调试模式看到的日志。</p>
<figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br></pre></td><td class="code"><pre><span class="line">(2) Received Access-Request Id 16 <span class="keyword">from</span> 127.0.0.1:38424 <span class="keyword">to</span> 127.0.0.1:1812 length 88</span><br><span class="line">(2) User-Name = <span class="string">"[email protected]"</span></span><br><span class="line">(2) User-Password = <span class="string">"Cisc0123"</span></span><br><span class="line">(2) NAS-IP-Address = 172.20.29.110</span><br><span class="line">(2) NAS-Port = 18120</span><br><span class="line">(2) Message-Authenticator = 0xd2adbf7920450d47617cc1c7128e437e</span><br><span class="line">(2) # Executing section authorize <span class="keyword">from</span> file /etc/raddb/sites-enabled/default</span><br><span class="line">(2) authorize {</span><br><span class="line">(2) <span class="built_in"> policy </span>filter_username {</span><br><span class="line">(2) <span class="keyword">if</span> (&User-Name) {</span><br><span class="line">(2) <span class="keyword">if</span> (&User-Name) -> <span class="literal">TRUE</span></span><br><span class="line">(2) <span class="keyword">if</span> (&User-Name) {</span><br><span class="line">(2) <span class="keyword">if</span> (&User-Name =~ / /) {</span><br><span class="line">(2) <span class="keyword">if</span> (&User-Name =~ / /) -> <span class="literal">FALSE</span></span><br><span class="line">(2) <span class="keyword">if</span> (&User-Name =~ /@[^@]*@/ ) {</span><br><span class="line">(2) <span class="keyword">if</span> (&User-Name =~ /@[^@]*@/ ) -> <span class="literal">FALSE</span></span><br><span class="line">(2) <span class="keyword">if</span> (&User-Name =~ /\.\./ ) {</span><br><span class="line">(2) <span class="keyword">if</span> (&User-Name =~ /\.\./ ) -> <span class="literal">FALSE</span></span><br><span class="line">(2) <span class="keyword">if</span> ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {</span><br><span class="line">(2) <span class="keyword">if</span> ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> <span class="literal">FALSE</span></span><br><span class="line">(2) <span class="keyword">if</span> (&User-Name =~ /\.$/) {</span><br><span class="line">(2) <span class="keyword">if</span> (&User-Name =~ /\.$/) -> <span class="literal">FALSE</span></span><br><span class="line">(2) <span class="keyword">if</span> (&User-Name =~ /@\./) {</span><br><span class="line">(2) <span class="keyword">if</span> (&User-Name =~ /@\./) -> <span class="literal">FALSE</span></span><br><span class="line">(2) } # <span class="keyword">if</span> (&User-Name) = notfound</span><br><span class="line">(2) } #<span class="built_in"> policy </span>filter_username = notfound</span><br><span class="line">(2) [preprocess] = ok</span><br><span class="line">(2) [chap] = noop</span><br><span class="line">(2) [mschap] = noop</span><br><span class="line">(2) [digest] = noop</span><br><span class="line">(2) suffix: Checking <span class="keyword">for</span> suffix after <span class="string">"@"</span></span><br><span class="line">(2) suffix: Looking up realm <span class="string">"python.com"</span> <span class="keyword">for</span> User-Name = <span class="string">"[email protected]"</span></span><br><span class="line">(2) suffix: <span class="literal">No</span> such realm <span class="string">"python.com"</span></span><br><span class="line">(2) [suffix] = noop</span><br><span class="line">(2) eap: <span class="literal">No</span> EAP-Message, <span class="keyword">not</span> doing EAP</span><br><span class="line">(2) [eap] = noop</span><br><span class="line">(2) files: users: Matched entry<span class="built_in"> DEFAULT </span>at line 69</span><br><span class="line">(2) [files] = ok</span><br><span class="line">(2) [expiration] = noop</span><br><span class="line">(2) [logintime] = noop</span><br><span class="line">(2) pap: WARNING: <span class="literal">No</span> <span class="string">"known good"</span> password found <span class="keyword">for</span> the user. <span class="keyword">Not</span> setting Auth-Type</span><br><span class="line">(2) pap: WARNING: Authentication will fail unless a <span class="string">"known good"</span> password is available</span><br><span class="line">(2) [pap] = noop</span><br><span class="line">(2) } # authorize = ok</span><br><span class="line">(2) Found Auth-Type = pam</span><br><span class="line">(2) # Executing<span class="built_in"> group </span><span class="keyword">from</span> file /etc/raddb/sites-enabled/default</span><br><span class="line">(2) authenticate {</span><br><span class="line">(2) pam: Using pamauth string <span class="string">"radiusd"</span> <span class="keyword">for</span> pam.conf lookup</span><br><span class="line">(2) pam: Authentication succeeded</span><br><span class="line">(2) [pam] = ok</span><br><span class="line">(2) } # authenticate = ok</span><br><span class="line">(2) # Executing section post-auth <span class="keyword">from</span> file /etc/raddb/sites-enabled/default</span><br><span class="line">(2) post-auth {</span><br><span class="line">(2) update {</span><br><span class="line">(2) <span class="literal">No</span> attributes updated</span><br><span class="line">(2) } # update = noop</span><br><span class="line">(2) [exec] = noop</span><br><span class="line">(2) <span class="built_in"> policy </span>remove_reply_message_if_eap {</span><br><span class="line">(2) <span class="keyword">if</span> (&reply:EAP-Message && &reply:Reply-Message) {</span><br><span class="line">(2) <span class="keyword">if</span> (&reply:EAP-Message && &reply:Reply-Message) -> <span class="literal">FALSE</span></span><br><span class="line">(2) <span class="keyword">else</span> {</span><br><span class="line">(2) [noop] = noop</span><br><span class="line">(2) } # <span class="keyword">else</span> = noop</span><br><span class="line">(2) } #<span class="built_in"> policy </span>remove_reply_message_if_eap = noop</span><br><span class="line">(2) } # post-auth = noop</span><br><span class="line">(2) Sent Access-Accept Id 16 <span class="keyword">from</span> 127.0.0.1:1812 <span class="keyword">to</span> 127.0.0.1:38424 length 0</span><br><span class="line">(2) Finished request</span><br><span class="line">Waking up <span class="keyword">in</span> 4.9 seconds.</span><br><span class="line">(2) Cleaning up request packet ID 16 with timestamp +6169</span><br><span class="line">Ready <span class="keyword">to</span> process requests</span><br></pre></td></tr></table></figure>
</li>
</ul>
<ul>
<li>使用户不需用带域名就可以被识别,需要修改配置文件/etc/sssd/sssd.conf,将use_fully_qualified_names行的True值修改为False。<figure class="highlight ini"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line"><span class="section">[root@centos8 ~]</span><span class="comment"># vi /etc/sssd/sssd.conf</span></span><br><span class="line"></span><br><span class="line"><span class="attr">use_fully_qualified_names</span> = <span class="literal">False</span></span><br></pre></td></tr></table></figure>
</li>
</ul>
<ul>
<li>重启sssd服务,重新列出域控信息,登录格式可以和之前对比。<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line">[root@centos8 ~]# systemctl restart sssd</span><br><span class="line"></span><br><span class="line">[root@centos8 ~]# realm list</span><br><span class="line">python.com</span><br><span class="line"> type: kerberos</span><br><span class="line"> realm-name: PYTHON.COM</span><br><span class="line"> domain-name: python.com</span><br><span class="line"> configured: kerberos-member</span><br><span class="line"> server-software: active-directory</span><br><span class="line"> client-software: sssd</span><br><span class="line"> required-package: oddjob</span><br><span class="line"> required-package: oddjob-mkhomedir</span><br><span class="line"> required-package: sssd</span><br><span class="line"> required-package: adcli</span><br><span class="line"> required-package: samba-common-tools</span><br><span class="line"> login-formats: %U</span><br><span class="line"> login-policy: allow-permitted-logins</span><br><span class="line"> permitted-logins:</span><br><span class="line"> permitted-groups: vpnusers</span><br></pre></td></tr></table></figure>
</li>
</ul>
<ul>
<li>现在不用加域信息也能识别用户。<figure class="highlight gcode"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">[root@ce<span class="symbol">ntos8</span> ~]<span class="attr"># id vpnuser</span></span><br><span class="line"><span class="attr">uid=363201109</span><span class="comment">(vpnuser)</span> gid=<span class="number">363200513</span><span class="comment">(domain users)</span> 组=<span class="number">363200513</span><span class="comment">(domain users)</span>,<span class="number">363201108</span><span class="comment">(vpnusers)</span></span><br></pre></td></tr></table></figure>
</li>
</ul>
<hr>
<h2 id="五、安装和配置Google-Authenticator-PAM"><a href="#五、安装和配置Google-Authenticator-PAM" class="headerlink" title="五、安装和配置Google Authenticator PAM"></a>五、安装和配置Google Authenticator PAM</h2><h3 id="5-1-安装Google-Authenticator"><a href="#5-1-安装Google-Authenticator" class="headerlink" title="5.1 安装Google Authenticator"></a>5.1 安装Google Authenticator</h3><ul>
<li>准备PAM编译环境<figure class="highlight angelscript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">[<span class="symbol">root@</span>centos8 ~]# yum install pam-devel make gcc-c++ git</span><br><span class="line">[<span class="symbol">root@</span>centos8 ~]# yum install <span class="built_in">auto</span>make <span class="built_in">auto</span>conf libtool</span><br></pre></td></tr></table></figure>
</li>
</ul>
<ul>
<li>下载安装文件,注意这里目录为<code>~</code><br><code>[root@centos8 ~]# git clone https://github.com/google/google-authenticator-libpam</code></li>
</ul>
<ul>
<li>安装google-authenticator<figure class="highlight autoit"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">[root<span class="symbol">@centos8</span> ~]<span class="meta"># cd google-authenticator-libpam/</span></span><br><span class="line">[root<span class="symbol">@centos8</span> google-authenticator-libpam]<span class="meta"># ./bootstrap.sh</span></span><br><span class="line">[root<span class="symbol">@centos8</span> google-authenticator-libpam]<span class="meta"># ./configure</span></span><br><span class="line">[root<span class="symbol">@centos8</span> google-authenticator-libpam]<span class="meta"># make</span></span><br><span class="line">[root<span class="symbol">@centos8</span> google-authenticator-libpam]<span class="meta"># make install</span></span><br></pre></td></tr></table></figure>
</li>
</ul>
<h3 id="5-2-账号开启双因素认证"><a href="#5-2-账号开启双因素认证" class="headerlink" title="5.2 账号开启双因素认证"></a>5.2 账号开启双因素认证</h3><ul>
<li>切换到ad账号<br><code>[root@centos8 ~]# su - [email protected]</code></li>
</ul>
<ul>
<li>为账号开启双因素认证。<figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br></pre></td><td class="code"><pre><span class="line">[[email protected]@centos8 ~]$ google-authenticator</span><br><span class="line"></span><br><span class="line"><span class="keyword">Do</span> you want <span class="keyword">authentication</span> tokens <span class="keyword">to</span> be <span class="built_in">time</span>-based (y/n) y</span><br><span class="line"><span class="keyword">Warning</span>: pasting the <span class="keyword">following</span> <span class="keyword">URL</span> <span class="keyword">into</span> your browser exposes the OTP secret <span class="keyword">to</span> Google:</span><br><span class="line"> https://www.google.com/chart?chs=<span class="number">200</span>x200&chld=M|<span class="number">0</span>&cht=qr&chl=otpauth://totp/[email protected]@centos8%<span class="number">3</span>Fsecret%<span class="number">3</span>DOF2GUT37EUSG7Y2TYX57HKYRUY%<span class="number">26</span>issuer%<span class="number">3</span>Dcentos8</span><br><span class="line"><span class="keyword">Failed</span> <span class="keyword">to</span> <span class="keyword">use</span> libqrencode <span class="keyword">to</span> <span class="keyword">show</span> QR code visually <span class="keyword">for</span> scanning.</span><br><span class="line"></span><br><span class="line">如果安装了<span class="string">`libqrencode`</span>,屏幕会出现一个二维码如果你的终端终端不支持显示二维码,可以手动打开这个网页链接(墙)来查看二维码或者手动输入后面的密钥(secret <span class="keyword">key</span>)来代替扫描二维码,下面有<span class="number">5</span>个紧</span><br><span class="line">急救助码(emergency scratch code),</span><br><span class="line">紧急救助码就是当你无法获取认证码时(比如手机丢了),可以当做认证码来用,每用一个少一个,但其实可以手动添加的,建议如果 root 账户使用 Google Authenticator 的话一定要把紧急救助码另外保存一</span><br><span class="line">份。</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="keyword">Consider</span> typing the OTP secret <span class="keyword">into</span> your app manually.</span><br><span class="line">Your <span class="keyword">new</span> secret <span class="keyword">key</span> <span class="keyword">is</span>: OF2GUT37EUSG7Y2TYX57HKYRUY</span><br><span class="line">Enter code <span class="keyword">from</span> app (<span class="number">-1</span> <span class="keyword">to</span> <span class="keyword">skip</span>): <span class="number">198586</span></span><br><span class="line">Code confirmed</span><br><span class="line">Your emergency scratch codes <span class="keyword">are</span>:</span><br><span class="line"> <span class="number">82763900</span></span><br><span class="line"> <span class="number">77203549</span></span><br><span class="line"> <span class="number">34651872</span></span><br><span class="line"> <span class="number">82841984</span></span><br><span class="line"> <span class="number">93446389</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">Do</span> you want me <span class="keyword">to</span> <span class="keyword">update</span> your <span class="string">"/home/[email protected]/.google_authenticator"</span> <span class="keyword">file</span>? (y/n) y</span><br><span class="line">是否更新用户的 Google Authenticator 配置文件,选择 y 才能使上面操作对当前用户生效,其实就是在对应用户的 Home 目录下生成了一个 .google_authenticator 文件,</span><br><span class="line">如果你想停用这个用户的 Google Authenticator 验证,只需要删除这个用户 Home 目录下的 .google_authenticator 文件就可以了。</span><br><span class="line"></span><br><span class="line"><span class="keyword">Do</span> you want <span class="keyword">to</span> <span class="keyword">disallow</span> multiple uses <span class="keyword">of</span> the same <span class="keyword">authentication</span></span><br><span class="line">token? This restricts you <span class="keyword">to</span> one login about every <span class="number">30</span>s, but it increases</span><br><span class="line">your chances <span class="keyword">to</span> <span class="keyword">notice</span> <span class="keyword">or</span> even prevent man-<span class="keyword">in</span>-the-middle attacks (y/n) y</span><br><span class="line">每次生成的认证码是否同时只允许一个人使用?这里选择 y。</span><br><span class="line"></span><br><span class="line"><span class="keyword">By</span> <span class="keyword">default</span>, a <span class="keyword">new</span> token <span class="keyword">is</span> <span class="keyword">generated</span> every <span class="number">30</span> <span class="keyword">seconds</span> <span class="keyword">by</span> the mobile app.</span><br><span class="line"><span class="keyword">In</span> <span class="keyword">order</span> <span class="keyword">to</span> compensate <span class="keyword">for</span> possible <span class="built_in">time</span>-skew <span class="keyword">between</span> the <span class="keyword">client</span> <span class="keyword">and</span> the <span class="keyword">server</span>,</span><br><span class="line">we <span class="keyword">allow</span> an extra token <span class="keyword">before</span> <span class="keyword">and</span> <span class="keyword">after</span> the <span class="keyword">current</span> time. This allows <span class="keyword">for</span> a</span><br><span class="line"><span class="built_in">time</span> skew <span class="keyword">of</span> up <span class="keyword">to</span> <span class="number">30</span> <span class="keyword">seconds</span> <span class="keyword">between</span> <span class="keyword">authentication</span> <span class="keyword">server</span> <span class="keyword">and</span> client. <span class="keyword">If</span> you</span><br><span class="line">experience problems <span class="keyword">with</span> poor <span class="built_in">time</span> synchronization, you can increase the <span class="keyword">window</span></span><br><span class="line"><span class="keyword">from</span> its <span class="keyword">default</span> <span class="keyword">size</span> <span class="keyword">of</span> <span class="number">3</span> permitted codes (one previous code, the <span class="keyword">current</span></span><br><span class="line">code, the <span class="keyword">next</span> code) <span class="keyword">to</span> <span class="number">17</span> permitted codes (the <span class="number">8</span> previous codes, the <span class="keyword">current</span></span><br><span class="line">code, <span class="keyword">and</span> the <span class="number">8</span> <span class="keyword">next</span> codes). This will permit <span class="keyword">for</span> a <span class="built_in">time</span> skew <span class="keyword">of</span> up <span class="keyword">to</span> <span class="number">4</span> <span class="keyword">minutes</span></span><br><span class="line"><span class="keyword">between</span> <span class="keyword">client</span> <span class="keyword">and</span> server.</span><br><span class="line"><span class="keyword">Do</span> you want <span class="keyword">to</span> <span class="keyword">do</span> so? (y/n) y</span><br><span class="line">是否增加时间误差?这里选择 n或者y都行。</span><br><span class="line"></span><br><span class="line"><span class="keyword">If</span> the computer that you <span class="keyword">are</span> <span class="keyword">logging</span> <span class="keyword">into</span> isn<span class="string">'t hardened against brute-force</span></span><br><span class="line"><span class="string">login attempts, you can enable rate-limiting for the authentication module.</span></span><br><span class="line"><span class="string">By default, this limits attackers to no more than 3 login attempts every 30s.</span></span><br><span class="line"><span class="string">Do you want to enable rate-limiting? (y/n) y</span></span><br><span class="line"><span class="string">是否启用次数限制?</span></span><br></pre></td></tr></table></figure>
</li>
</ul>
<ul>
<li>上面的交互式的设置也可用通过参数一次性设置(推荐),先查看一下参数含义。<figure class="highlight stata"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><span class="line">[[email protected]@centos8 ~]<span class="variable">$google</span>-authenticator -<span class="keyword">h</span></span><br><span class="line">google-authenticator [<options>]</span><br><span class="line"> -<span class="keyword">h</span>, --<span class="keyword">help</span> <span class="keyword">Print</span> this message</span><br><span class="line"> -c, --counter-based <span class="keyword">Set</span> up counter-based (HOTP) verification</span><br><span class="line"> -C, --<span class="keyword">no</span>-<span class="keyword">confirm</span> Don't <span class="keyword">confirm</span> code. <span class="keyword">For</span> non-interactive setups</span><br><span class="line"> -t, --time-based <span class="keyword">Set</span> up time-based (TOTP) verification</span><br><span class="line"> -<span class="keyword">d</span>, --disallow-reuse Disallow reuse of previously used TOTP tokens</span><br><span class="line"> -<span class="keyword">D</span>, --allow-reuse Allow reuse of previously used TOTP tokens</span><br><span class="line"> -f, --force Write <span class="keyword">file</span> without first confirming with user</span><br><span class="line"> -<span class="keyword">l</span>, --<span class="keyword">label</span>=<<span class="keyword">label</span>> Override the default <span class="keyword">label</span> <span class="keyword">in</span> <span class="string">"otpauth://"</span> URL</span><br><span class="line"> -i, --issuer=<issuer> Override the default issuer <span class="keyword">in</span> <span class="string">"otpauth://"</span> URL</span><br><span class="line"> -q, --quiet Quiet mode</span><br><span class="line"> -Q, --qr-mode={NONE,ANSI,UTF8} QRCode output mode</span><br><span class="line"> -r, --rate-limit=<span class="keyword">N</span> Limit logins to <span class="keyword">N</span> per every <span class="keyword">M</span> seconds</span><br><span class="line"> -R, --rate-time=<span class="keyword">M</span> Limit logins to <span class="keyword">N</span> per every <span class="keyword">M</span> seconds</span><br><span class="line"> -<span class="keyword">u</span>, --<span class="keyword">no</span>-rate-limit Disable rate-limiting</span><br><span class="line"> -s, --secret=<<span class="keyword">file</span>> Specify a non-standard <span class="keyword">file</span> location</span><br><span class="line"> -S, --step-size=S <span class="keyword">Set</span> interval between <span class="keyword">token</span> refreshes</span><br><span class="line"> -w, --<span class="keyword">window</span>-size=W <span class="keyword">Set</span> <span class="keyword">window</span> of concurrently valid codes</span><br><span class="line"> -W, --minimal-<span class="keyword">window</span> Disable <span class="keyword">window</span> of concurrently valid codes</span><br><span class="line"> -<span class="keyword">e</span>, --emergency-codes=<span class="keyword">N</span> Number of emergency codes to <span class="keyword">generate</span></span><br></pre></td></tr></table></figure>
</li>
</ul>
<ul>
<li>这里Cisco_VPN是会在APP上显示的令牌名标签,vpnuser@centos8是APP上的主机名标签。<figure class="highlight llvm"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">[vpnuser<span class="title">@python.com</span><span class="title">@centos8</span> ~]$ google-authenticator -t -f -d -l vpnuser<span class="title">@centos8</span> -i Cisco_VPN -r <span class="number">3</span> -R <span class="number">30</span> -W</span><br><span class="line">Warning: pasting the following URL into your browser exposes the OTP secret <span class="keyword">to</span> Google:</span><br><span class="line"> https://www.google.com/chart?chs=<span class="number">200</span><span class="keyword">x</span><span class="number">200</span>&chld=M|<span class="number">0</span>&cht=qr&chl=otpauth://totp/lql<span class="title">@centos8</span><span class="symbol">%3</span>Fsecret<span class="symbol">%3</span>DJQ<span class="number">355</span>PSUBG<span class="number">52</span>KJBUMDJVBSMDLU<span class="symbol">%26</span>issuer<span class="symbol">%3</span>DLQL.ME</span><br></pre></td></tr></table></figure>
</li>
</ul>
<h3 id="5-3-修改pam配置文件,并测试AD账号加动态码登录radius。"><a href="#5-3-修改pam配置文件,并测试AD账号加动态码登录radius。" class="headerlink" title="5.3 修改pam配置文件,并测试AD账号加动态码登录radius。"></a>5.3 修改pam配置文件,并测试AD账号加动态码登录radius。</h3><ul>
<li>查找<code>pam_google_authenticator.so</code>所在目录<figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">[root@centos8 ~]<span class="comment"># find / -name pam_google_authenticator.so</span></span><br><span class="line"><span class="regexp">/usr/</span>local<span class="regexp">/lib/</span>security<span class="regexp">/pam_google_authenticator.so</span></span><br></pre></td></tr></table></figure>
</li>
</ul>
<ul>
<li>编辑<code>/etc/pam.d/radiusd</code>,告诉FreeRadius使用本地Unix密码和Google Authenticator代码对用户进行身份验证。<figure class="highlight crystal"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line">[root@centos8 ~]<span class="comment"># vi /etc/pam.d/radiusd</span></span><br><span class="line"></span><br><span class="line"><span class="comment">#%PAM-1.0</span></span><br><span class="line"><span class="comment">#auth include password-auth</span></span><br><span class="line"><span class="comment">#account required pam_nologin.so</span></span><br><span class="line"><span class="comment">#account include password-auth</span></span><br><span class="line"><span class="comment">#password include password-auth</span></span><br><span class="line"><span class="comment">#session include password-auth</span></span><br><span class="line"></span><br><span class="line">auth requisite /usr/local/<span class="class"><span class="keyword">lib</span>/<span class="title">security</span>/<span class="title">pam_google_authenticator</span>.<span class="title">so</span> <span class="title">forward_pass</span></span></span><br><span class="line">auth required pam_sss.so use_first_pass</span><br><span class="line">account required pam_nologin.so</span><br><span class="line">account <span class="keyword">include</span> password-auth</span><br><span class="line">session <span class="keyword">include</span> password-auth</span><br></pre></td></tr></table></figure>
</li>
</ul>
<ul>
<li>开启radius调试模式<br><code>[root@centos8 ~]#radius -X</code></li>
</ul>
<ul>
<li>在新的窗口使用域账号测试radius认证,这里密码构成是<strong>密码+动态码</strong>。<figure class="highlight angelscript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">[<span class="symbol">root@</span>centos8 ~]# radtest <span class="symbol">vpnuser@</span>python.com Cisc0123072009 localhost <span class="number">18120</span> testing123</span><br><span class="line">Sent Access-Request Id <span class="number">119</span> <span class="keyword">from</span> <span class="number">0.0</span><span class="number">.0</span><span class="number">.0</span>:<span class="number">49063</span> to <span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span>:<span class="number">1812</span> length <span class="number">88</span></span><br><span class="line"> User-Name = <span class="string">"[email protected]"</span></span><br><span class="line"> User-Password = <span class="string">"Cisc0123072009"</span></span><br><span class="line"> NAS-IP-Address = <span class="number">172.20</span><span class="number">.29</span><span class="number">.110</span></span><br><span class="line"> NAS-Port = <span class="number">18120</span></span><br><span class="line"> Message-Authenticator = <span class="number">0x00</span></span><br><span class="line"> Cleartext-Password = <span class="string">"Cisc0123072009"</span></span><br><span class="line">Received Access-Accept Id <span class="number">119</span> <span class="keyword">from</span> <span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span>:<span class="number">1812</span> to <span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span>:<span class="number">49063</span> length <span class="number">20</span></span><br></pre></td></tr></table></figure>
</li>
</ul>
<ul>
<li>AD 结合动态码测试日志<figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br></pre></td><td class="code"><pre><span class="line">(3) Received Access-Request Id 119 <span class="keyword">from</span> 127.0.0.1:49063 <span class="keyword">to</span> 127.0.0.1:1812 length 88</span><br><span class="line">(3) User-Name = <span class="string">"[email protected]"</span></span><br><span class="line">(3) User-Password = <span class="string">"Cisc0123072009"</span></span><br><span class="line">(3) NAS-IP-Address = 172.20.29.110</span><br><span class="line">(3) NAS-Port = 18120</span><br><span class="line">(3) Message-Authenticator = 0x457cc852a7cb00f054b1cc168f75998e</span><br><span class="line">(3) # Executing section authorize <span class="keyword">from</span> file /etc/raddb/sites-enabled/default</span><br><span class="line">(3) authorize {</span><br><span class="line">(3) <span class="built_in"> policy </span>filter_username {</span><br><span class="line">(3) <span class="keyword">if</span> (&User-Name) {</span><br><span class="line">(3) <span class="keyword">if</span> (&User-Name) -> <span class="literal">TRUE</span></span><br><span class="line">(3) <span class="keyword">if</span> (&User-Name) {</span><br><span class="line">(3) <span class="keyword">if</span> (&User-Name =~ / /) {</span><br><span class="line">(3) <span class="keyword">if</span> (&User-Name =~ / /) -> <span class="literal">FALSE</span></span><br><span class="line">(3) <span class="keyword">if</span> (&User-Name =~ /@[^@]*@/ ) {</span><br><span class="line">(3) <span class="keyword">if</span> (&User-Name =~ /@[^@]*@/ ) -> <span class="literal">FALSE</span></span><br><span class="line">(3) <span class="keyword">if</span> (&User-Name =~ /\.\./ ) {</span><br><span class="line">(3) <span class="keyword">if</span> (&User-Name =~ /\.\./ ) -> <span class="literal">FALSE</span></span><br><span class="line">(3) <span class="keyword">if</span> ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {</span><br><span class="line">(3) <span class="keyword">if</span> ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> <span class="literal">FALSE</span></span><br><span class="line">(3) <span class="keyword">if</span> (&User-Name =~ /\.$/) {</span><br><span class="line">(3) <span class="keyword">if</span> (&User-Name =~ /\.$/) -> <span class="literal">FALSE</span></span><br><span class="line">(3) <span class="keyword">if</span> (&User-Name =~ /@\./) {</span><br><span class="line">(3) <span class="keyword">if</span> (&User-Name =~ /@\./) -> <span class="literal">FALSE</span></span><br><span class="line">(3) } # <span class="keyword">if</span> (&User-Name) = notfound</span><br><span class="line">(3) } #<span class="built_in"> policy </span>filter_username = notfound</span><br><span class="line">(3) [preprocess] = ok</span><br><span class="line">(3) [chap] = noop</span><br><span class="line">(3) [mschap] = noop</span><br><span class="line">(3) [digest] = noop</span><br><span class="line">(3) suffix: Checking <span class="keyword">for</span> suffix after <span class="string">"@"</span></span><br><span class="line">(3) suffix: Looking up realm <span class="string">"python.com"</span> <span class="keyword">for</span> User-Name = <span class="string">"[email protected]"</span></span><br><span class="line">(3) suffix: <span class="literal">No</span> such realm <span class="string">"python.com"</span></span><br><span class="line">(3) [suffix] = noop</span><br><span class="line">(3) eap: <span class="literal">No</span> EAP-Message, <span class="keyword">not</span> doing EAP</span><br><span class="line">(3) [eap] = noop</span><br><span class="line">(3) files: users: Matched entry<span class="built_in"> DEFAULT </span>at line 69</span><br><span class="line">(3) [files] = ok</span><br><span class="line">(3) [expiration] = noop</span><br><span class="line">(3) [logintime] = noop</span><br><span class="line">(3) pap: WARNING: <span class="literal">No</span> <span class="string">"known good"</span> password found <span class="keyword">for</span> the user. <span class="keyword">Not</span> setting Auth-Type</span><br><span class="line">(3) pap: WARNING: Authentication will fail unless a <span class="string">"known good"</span> password is available</span><br><span class="line">(3) [pap] = noop</span><br><span class="line">(3) } # authorize = ok</span><br><span class="line">(3) Found Auth-Type = pam</span><br><span class="line">(3) # Executing<span class="built_in"> group </span><span class="keyword">from</span> file /etc/raddb/sites-enabled/default</span><br><span class="line">(3) authenticate {</span><br><span class="line">(3) pam: Using pamauth string <span class="string">"radiusd"</span> <span class="keyword">for</span> pam.conf lookup</span><br><span class="line">(3) pam: Authentication succeeded</span><br><span class="line">(3) [pam] = ok</span><br><span class="line">(3) } # authenticate = ok</span><br><span class="line">(3) # Executing section post-auth <span class="keyword">from</span> file /etc/raddb/sites-enabled/default</span><br><span class="line">(3) post-auth {</span><br><span class="line">(3) update {</span><br><span class="line">(3) <span class="literal">No</span> attributes updated</span><br><span class="line">(3) } # update = noop</span><br><span class="line">(3) [exec] = noop</span><br><span class="line">(3) <span class="built_in"> policy </span>remove_reply_message_if_eap {</span><br><span class="line">(3) <span class="keyword">if</span> (&reply:EAP-Message && &reply:Reply-Message) {</span><br><span class="line">(3) <span class="keyword">if</span> (&reply:EAP-Message && &reply:Reply-Message) -> <span class="literal">FALSE</span></span><br><span class="line">(3) <span class="keyword">else</span> {</span><br><span class="line">(3) [noop] = noop</span><br><span class="line">(3) } # <span class="keyword">else</span> = noop</span><br><span class="line">(3) } #<span class="built_in"> policy </span>remove_reply_message_if_eap = noop</span><br><span class="line">(3) } # post-auth = noop</span><br><span class="line">(3) Sent Access-Accept Id 119 <span class="keyword">from</span> 127.0.0.1:1812 <span class="keyword">to</span> 127.0.0.1:49063 length 0</span><br><span class="line">(3) Finished request</span><br><span class="line">Waking up <span class="keyword">in</span> 4.9 seconds.</span><br><span class="line">(3) Cleaning up request packet ID 119 with timestamp +6972</span><br><span class="line">Ready <span class="keyword">to</span> process requests</span><br></pre></td></tr></table></figure>
</li>
</ul>
<hr>
<h2 id="六、ASAv-AnyConnect-配置"><a href="#六、ASAv-AnyConnect-配置" class="headerlink" title="六、ASAv AnyConnect 配置"></a>六、ASAv AnyConnect 配置</h2><h3 id="6-1-ASAv初始化配置"><a href="#6-1-ASAv初始化配置" class="headerlink" title="6.1 ASAv初始化配置"></a>6.1 ASAv初始化配置</h3><ul>
<li>ASAv接口初始化,这里我通过防火墙mgmt接口ssh网管。<figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br></pre></td><td class="code"><pre><span class="line">interface Management0/0</span><br><span class="line"> nameif mgmt</span><br><span class="line"> security-level 0</span><br><span class="line"><span class="built_in"> ip address </span>192.168.100.100 255.255.255.0</span><br><span class="line"></span><br><span class="line">ssh 0.0.0.0 0.0.0.0 mgmt</span><br><span class="line"></span><br><span class="line">interface GigabitEthernet0/0</span><br><span class="line"> nameif outside</span><br><span class="line"> security-level 0</span><br><span class="line"><span class="built_in"> ip address </span>202.100.1.254 255.255.255.0</span><br><span class="line">!</span><br><span class="line">interface GigabitEthernet0/1</span><br><span class="line"> nameif inside</span><br><span class="line"> security-level 100</span><br><span class="line"><span class="built_in"> ip address </span>192.168.1.254 255.255.255.0</span><br></pre></td></tr></table></figure>
</li>
</ul>
<h3 id="6-2-ASAv上传AnyConnect镜像"><a href="#6-2-ASAv上传AnyConnect镜像" class="headerlink" title="6.2 ASAv上传AnyConnect镜像"></a>6.2 ASAv上传AnyConnect镜像</h3><ul>
<li>开启http服务,创建本地管理密码,让ASDM可以顺利连接。<figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">http<span class="built_in"> server </span><span class="builtin-name">enable</span> 8000</span><br><span class="line">http 0 0 mgmt</span><br><span class="line">aaa authentication http<span class="built_in"> console </span>LOCAL</span><br><span class="line">username admin password cisco privilege 15</span><br></pre></td></tr></table></figure>
</li>
</ul>
<ul>
<li>ASDM上传AnyConnect镜像到ASAv本地。</li>
</ul>
<p><img src="../images/blog/cisco-ad-freeradius-mfa-centos8/%5BAnyConnect-freeradius-ad-mfa%5D-asdm-01.png" alt="[AnyConnect-freeradius-ad-mfa]asdm-01"><br><img src="../images/blog/cisco-ad-freeradius-mfa-centos8/%5BAnyConnect-freeradius-ad-mfa%5D-asdm-02.png" alt="[AnyConnect-freeradius-ad-mfa]asdm-02"><br><img src="../images/blog/cisco-ad-freeradius-mfa-centos8/%5BAnyConnect-freeradius-ad-mfa%5D-asdm-03.png" alt="[AnyConnect-freeradius-ad-mfa]asdm-03"><br><img src="../images/blog/cisco-ad-freeradius-mfa-centos8/%5BAnyConnect-freeradius-ad-mfa%5D-asdm-04.png" alt="[AnyConnect-freeradius-ad-mfa]asdm-04"></p>
<ul>
<li>确认AnyConnect上传成功<figure class="highlight angelscript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">MFA-ASAv# dir</span><br><span class="line">Directory of disk0:/</span><br><span class="line"><span class="number">94</span> -rwx <span class="number">41077110</span> <span class="number">08</span>:<span class="number">07</span>:<span class="number">22</span> Mar <span class="number">05</span> <span class="number">2020</span> anyconnect-win<span class="number">-4.6</span><span class="number">.00362</span>-webdeploy-k9.pkg</span><br></pre></td></tr></table></figure>
</li>
</ul>
<h3 id="6-3-Cisco-ASAv-AnyConnect本地认证配置。"><a href="#6-3-Cisco-ASAv-AnyConnect本地认证配置。" class="headerlink" title="6.3 Cisco ASAv AnyConnect本地认证配置。"></a>6.3 Cisco ASAv AnyConnect本地认证配置。</h3><ul>
<li><p>首先配置AnyConnect的本地认证,当本地认证测试通过之后,再将认证流量送到freeradius进行双因素认证。</p>
<figure class="highlight properties"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"><span class="attr">username</span> <span class="string">ssluser password cisco</span></span><br><span class="line"></span><br><span class="line"><span class="attr">webvpn</span></span><br><span class="line"> <span class="attr">enable</span> <span class="string">outside</span></span><br><span class="line"> <span class="attr">anyconnect</span> <span class="string">image disk0:/anyconnect-win-4.6.00362-webdeploy-k9.pkg 1</span></span><br><span class="line"> <span class="attr">anyconnect</span> <span class="string">enable</span></span><br></pre></td></tr></table></figure>
</li>
<li><p>这里启用了隧道分隔。</p>
<figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line">access-list anyconnect_split standard permit 192.168.1.0 255.255.255.0</span><br><span class="line">access-list anyconnect_filter_acl extended permit<span class="built_in"> ip </span>any 192.168.1.0 255.255.255.0</span><br><span class="line"></span><br><span class="line">ip local<span class="built_in"> pool </span>sslvpn_pool 192.168.50.100-192.168.50.200</span><br><span class="line"></span><br><span class="line">group-policy anyconnect_group_policy internal</span><br><span class="line">group-policy anyconnect_group_policy attributes</span><br><span class="line"> vpn-filter value anyconnect_filter_acl</span><br><span class="line"> vpn-tunnel-protocol ssl-client ssl-clientless</span><br><span class="line"> split-tunnel-policy tunnelspecified</span><br><span class="line"> split-tunnel-network-list value anyconnect_split</span><br><span class="line"> address-pools value sslvpn_pool</span><br><span class="line"> webvpn</span><br><span class="line"> anyconnect profiles value anyconnect_profile<span class="built_in"> type </span>user</span><br><span class="line"></span><br><span class="line">username ssluser attributes</span><br><span class="line"> vpn-group-policy anyconnect_group_policy</span><br></pre></td></tr></table></figure>
</li>
<li><p>默认anyconnect不允许通过RDP的方式登录,这里我的管理机器是通过RDP登录的。所以需要修改anyconnect profile,让RDP用户能正常登录。</p>
</li>
</ul>
<p><img src="../images/blog/cisco-ad-freeradius-mfa-centos8/%5BAnyConnect-freeradius-ad-mfa%5D-rdp-01.png" alt="[AnyConnect-freeradius-ad-mfa]rdp-01"></p>
<p><img src="../images/blog/cisco-ad-freeradius-mfa-centos8/%5BAnyConnect-freeradius-ad-mfa%5D-rdp-02.png" alt="[AnyConnect-freeradius-ad-mfa]rdp-02"></p>
<ul>
<li>通过ASDM配置profile之后,通过命令行确认profile调用。<figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">group-policy anyconnect_group_policy attributes</span><br><span class="line"> webvpn</span><br><span class="line"> anyconnect profiles value anyconnect_profile<span class="built_in"> type </span>user</span><br></pre></td></tr></table></figure>
</li>
</ul>
<h3 id="6-4-AnyConnect本地账号登录测试"><a href="#6-4-AnyConnect本地账号登录测试" class="headerlink" title="6.4 AnyConnect本地账号登录测试"></a>6.4 AnyConnect本地账号登录测试</h3><p><img src="../images/blog/cisco-ad-freeradius-mfa-centos8/%5BAnyConnect-freeradius-ad-mfa%5D-login-01.png" alt="[AnyConnect-freeradius-ad-mfa]login-01"><br><img src="../images/blog/cisco-ad-freeradius-mfa-centos8/%5BAnyConnect-freeradius-ad-mfa%5D-login-02.png" alt="[AnyConnect-freeradius-ad-mfa]login-02"><br><img src="../images/blog/cisco-ad-freeradius-mfa-centos8/%5BAnyConnect-freeradius-ad-mfa%5D-login-03.png" alt="[AnyConnect-freeradius-ad-mfa]login-03"></p>
<h3 id="6-5-freeradius配置和测试"><a href="#6-5-freeradius配置和测试" class="headerlink" title="6.5 freeradius配置和测试"></a>6.5 freeradius配置和测试</h3><ul>
<li>配置3A服务器指向freeradius。<figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">aaa-server freeradius protocol radius</span><br><span class="line">aaa-server freeradius (inside) host 192.168.1.10</span><br><span class="line"> key cisco</span><br><span class="line"> authentication-port 1812</span><br><span class="line"></span><br><span class="line">tunnel-group DefaultWEBVPNGroup general-attributes</span><br><span class="line"> authentication-server-group freeradius</span><br><span class="line"> default-group-policy anyconnect_group_policy</span><br></pre></td></tr></table></figure>
</li>
</ul>
<ul>
<li>ASAv使用AD账号测试radius服务,因为之前修改过SSSD配置文件,这里是否添加<code>python.com</code>域名都可以。<figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">MFA-ASAv# test aaa-server authentication freeradius host 192.168.1.10 username vpnuser password Cisc0123187977</span><br><span class="line">INFO: Attempting Authentication test <span class="keyword">to</span><span class="built_in"> IP address </span><192.168.1.10> (timeout: 12 seconds)</span><br><span class="line">INFO: Authentication Successful</span><br></pre></td></tr></table></figure>
</li>
</ul>
<ul>
<li>radius调试模式看到的日志<figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br></pre></td><td class="code"><pre><span class="line">Listening on acct<span class="built_in"> address </span>::<span class="built_in"> port </span>1813 bound <span class="keyword">to</span><span class="built_in"> server </span>default</span><br><span class="line">Listening on auth<span class="built_in"> address </span>127.0.0.1<span class="built_in"> port </span>18120 bound <span class="keyword">to</span><span class="built_in"> server </span>inner-tunnel</span><br><span class="line">Listening on<span class="built_in"> proxy address </span>*<span class="built_in"> port </span>54915</span><br><span class="line">Listening on<span class="built_in"> proxy address </span>::<span class="built_in"> port </span>45190</span><br><span class="line">Ready <span class="keyword">to</span> process requests</span><br><span class="line">(0) Received Access-Request Id 4 <span class="keyword">from</span> 192.168.1.254:30861 <span class="keyword">to</span> 192.168.1.10:1812 length 86</span><br><span class="line">(0) User-Name = <span class="string">"vpnuser"</span></span><br><span class="line">(0) User-Password = <span class="string">"Cisc0123187977"</span></span><br><span class="line">(0) NAS-IP-Address = 192.168.1.254</span><br><span class="line">(0) NAS-Port = 4</span><br><span class="line">(0) NAS-Port-Type = Virtual</span><br><span class="line">(0) Cisco-AVPair = <span class="string">"coa-push=true"</span></span><br><span class="line">(0) # Executing section authorize <span class="keyword">from</span> file /etc/raddb/sites-enabled/default</span><br><span class="line">(0) authorize {</span><br><span class="line">(0) <span class="built_in"> policy </span>filter_username {</span><br><span class="line">(0) <span class="keyword">if</span> (&User-Name) {</span><br><span class="line">(0) <span class="keyword">if</span> (&User-Name) -> <span class="literal">TRUE</span></span><br><span class="line">(0) <span class="keyword">if</span> (&User-Name) {</span><br><span class="line">(0) <span class="keyword">if</span> (&User-Name =~ / /) {</span><br><span class="line">(0) <span class="keyword">if</span> (&User-Name =~ / /) -> <span class="literal">FALSE</span></span><br><span class="line">(0) <span class="keyword">if</span> (&User-Name =~ /@[^@]*@/ ) {</span><br><span class="line">(0) <span class="keyword">if</span> (&User-Name =~ /@[^@]*@/ ) -> <span class="literal">FALSE</span></span><br><span class="line">(0) <span class="keyword">if</span> (&User-Name =~ /\.\./ ) {</span><br><span class="line">(0) <span class="keyword">if</span> (&User-Name =~ /\.\./ ) -> <span class="literal">FALSE</span></span><br><span class="line">(0) <span class="keyword">if</span> ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {</span><br><span class="line">(0) <span class="keyword">if</span> ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> <span class="literal">FALSE</span></span><br><span class="line">(0) <span class="keyword">if</span> (&User-Name =~ /\.$/) {</span><br><span class="line">(0) <span class="keyword">if</span> (&User-Name =~ /\.$/) -> <span class="literal">FALSE</span></span><br><span class="line">(0) <span class="keyword">if</span> (&User-Name =~ /@\./) {</span><br><span class="line">(0) <span class="keyword">if</span> (&User-Name =~ /@\./) -> <span class="literal">FALSE</span></span><br><span class="line">(0) } # <span class="keyword">if</span> (&User-Name) = notfound</span><br><span class="line">(0) } #<span class="built_in"> policy </span>filter_username = notfound</span><br><span class="line">(0) [preprocess] = ok</span><br><span class="line">(0) [chap] = noop</span><br><span class="line">(0) [mschap] = noop</span><br><span class="line">(0) [digest] = noop</span><br><span class="line">(0) suffix: Checking <span class="keyword">for</span> suffix after <span class="string">"@"</span></span><br><span class="line">(0) suffix: <span class="literal">No</span> <span class="string">'@'</span> <span class="keyword">in</span> User-Name = <span class="string">"vpnuser"</span>, looking up realm <span class="literal">NULL</span></span><br><span class="line">(0) suffix: <span class="literal">No</span> such realm <span class="string">"NULL"</span></span><br><span class="line">(0) [suffix] = noop</span><br><span class="line">(0) eap: <span class="literal">No</span> EAP-Message, <span class="keyword">not</span> doing EAP</span><br><span class="line">(0) [eap] = noop</span><br><span class="line">(0) files: users: Matched entry<span class="built_in"> DEFAULT </span>at line 69</span><br><span class="line">(0) [files] = ok</span><br><span class="line">(0) [expiration] = noop</span><br><span class="line">(0) [logintime] = noop</span><br><span class="line">(0) pap: WARNING: <span class="literal">No</span> <span class="string">"known good"</span> password found <span class="keyword">for</span> the user. <span class="keyword">Not</span> setting Auth-Type</span><br><span class="line">(0) pap: WARNING: Authentication will fail unless a <span class="string">"known good"</span> password is available</span><br><span class="line">(0) [pap] = noop</span><br><span class="line">(0) } # authorize = ok</span><br><span class="line">(0) Found Auth-Type = pam</span><br><span class="line">(0) # Executing<span class="built_in"> group </span><span class="keyword">from</span> file /etc/raddb/sites-enabled/default</span><br><span class="line">(0) authenticate {</span><br><span class="line">(0) pam: Using pamauth string <span class="string">"radiusd"</span> <span class="keyword">for</span> pam.conf lookup</span><br><span class="line">(0) pam: Authentication succeeded</span><br><span class="line">(0) [pam] = ok</span><br><span class="line">(0) } # authenticate = ok</span><br><span class="line">(0) # Executing section post-auth <span class="keyword">from</span> file /etc/raddb/sites-enabled/default</span><br><span class="line">(0) post-auth {</span><br><span class="line">(0) update {</span><br><span class="line">(0) <span class="literal">No</span> attributes updated</span><br><span class="line">(0) } # update = noop</span><br><span class="line">(0) [exec] = noop</span><br><span class="line">(0) <span class="built_in"> policy </span>remove_reply_message_if_eap {</span><br><span class="line">(0) <span class="keyword">if</span> (&reply:EAP-Message && &reply:Reply-Message) {</span><br><span class="line">(0) <span class="keyword">if</span> (&reply:EAP-Message && &reply:Reply-Message) -> <span class="literal">FALSE</span></span><br><span class="line">(0) <span class="keyword">else</span> {</span><br><span class="line">(0) [noop] = noop</span><br><span class="line">(0) } # <span class="keyword">else</span> = noop</span><br><span class="line">(0) } #<span class="built_in"> policy </span>remove_reply_message_if_eap = noop</span><br><span class="line">(0) } # post-auth = noop</span><br><span class="line">(0) Sent Access-Accept Id 4 <span class="keyword">from</span> 192.168.1.10:1812 <span class="keyword">to</span> 192.168.1.254:30861 length 0</span><br><span class="line">(0) Finished request</span><br><span class="line">Waking up <span class="keyword">in</span> 4.9 seconds.</span><br><span class="line">(0) Cleaning up request packet ID 4 with timestamp +11</span><br><span class="line">Ready <span class="keyword">to</span> process requests</span><br></pre></td></tr></table></figure>
</li>
</ul>
<ul>
<li><p>如果radius -X 无法运行,并且报错如下,一般是radius服务已经启动,占用了1812端口号导致的。</p>
<figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">Failed binding <span class="keyword">to</span> auth<span class="built_in"> address </span>*<span class="built_in"> port </span>1812 bound <span class="keyword">to</span><span class="built_in"> server </span>default:<span class="built_in"> Address </span>already <span class="keyword">in</span> use</span><br><span class="line">/etc/raddb/sites-enabled/default[59]: <span class="builtin-name">Error</span> binding <span class="keyword">to</span><span class="built_in"> port </span><span class="keyword">for</span> 0.0.0.0<span class="built_in"> port </span>1812</span><br></pre></td></tr></table></figure>
</li>
<li><p>查看UDP端口号使用。</p>
<figure class="highlight angelscript"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">[<span class="symbol">root@</span>centos8 ~]# ss -ulnp</span><br><span class="line">State Recv-Q Send-Q Local Address:Port Peer Address:Port</span><br><span class="line">UNCONN <span class="number">0</span> <span class="number">0</span> <span class="number">127.0</span><span class="number">.0</span><span class="number">.1</span>:<span class="number">18120</span> <span class="number">0.0</span><span class="number">.0</span><span class="number">.0</span>:* users:((<span class="string">"radiusd"</span>,pid=<span class="number">15068</span>,fd=<span class="number">14</span>))</span><br><span class="line">UNCONN <span class="number">0</span> <span class="number">0</span> <span class="number">0.0</span><span class="number">.0</span><span class="number">.0</span>:<span class="number">1812</span> <span class="number">0.0</span><span class="number">.0</span><span class="number">.0</span>:* users:((<span class="string">"radiusd"</span>,pid=<span class="number">15068</span>,fd=<span class="number">10</span>))</span><br><span class="line">UNCONN <span class="number">0</span> <span class="number">0</span> <span class="number">0.0</span><span class="number">.0</span><span class="number">.0</span>:<span class="number">1813</span> <span class="number">0.0</span><span class="number">.0</span><span class="number">.0</span>:* users:((<span class="string">"radiusd"</span>,pid=<span class="number">15068</span>,fd=<span class="number">11</span>))</span><br></pre></td></tr></table></figure>
</li>
<li><p>可以使用<code>pkill</code>命令结束radius所有进程。<br><code>[root@centos8 ~]# pkill radiusd</code></p>
</li>
</ul>
<h3 id="6-6-使用-AD账号-动态码-登录AnyConnect"><a href="#6-6-使用-AD账号-动态码-登录AnyConnect" class="headerlink" title="6.6 使用 AD账号+动态码 登录AnyConnect"></a>6.6 使用 AD账号+动态码 登录AnyConnect</h3><ul>
<li>AnyConnect输入密码时,首先输入AD密码,然后输入6位动态码。例如这里密码是<code>Cisc0123</code>,动态码是<code>914714</code>,那么密码框应该输入<code>Cisc0123914714</code>。</li>
</ul>
<p><img src="../images/blog/cisco-ad-freeradius-mfa-centos8/%5BAnyConnect-freeradius-ad-mfa%5D-login-01.png" alt="[AnyConnect-freeradius-ad-mfa]login-01"><br><img src="../images/blog/cisco-ad-freeradius-mfa-centos8/%5BAnyConnect-freeradius-ad-mfa%5D-login-ad.png" alt="[AnyConnect-freeradius-ad-mfa]login-ad"><br><img src="../images/blog/cisco-ad-freeradius-mfa-centos8/%5BAnyConnect-freeradius-ad-mfa%5D-login-03.png" alt="[AnyConnect-freeradius-ad-mfa]login-03"></p>
<ul>
<li>动态码</li>
</ul>
<p><img src="../images/blog/cisco-ad-freeradius-mfa-centos8/%5BAnyConnect-freeradius-ad-mfa%5D-code.png" alt="[AnyConnect-freeradius-ad-mfa]code"></p>
<ul>
<li>AnyConnect登录,radius 调试日志。<figure class="highlight routeros"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br></pre></td><td class="code"><pre><span class="line">(4) Received Access-Request Id 8 <span class="keyword">from</span> 192.168.1.254:30861 <span class="keyword">to</span> 192.168.1.10:1812 length 666</span><br><span class="line">(4) User-Name = <span class="string">"vpnuser"</span></span><br><span class="line">(4) User-Password = <span class="string">"Cisc0123914714"</span></span><br><span class="line">(4) NAS-Port = 32768</span><br><span class="line">(4) Called-Station-Id = <span class="string">"202.100.1.254"</span></span><br><span class="line">(4) Calling-Station-Id = <span class="string">"202.100.1.10"</span></span><br><span class="line">(4) NAS-Port-Type = Virtual</span><br><span class="line">(4) Tunnel-Client-Endpoint:0 = <span class="string">"202.100.1.10"</span></span><br><span class="line">(4) Cisco-AVPair = <span class="string">"mdm-tlv=device-platform=win"</span></span><br><span class="line">(4) Cisco-AVPair = <span class="string">"mdm-tlv=device-mac=00-50-56-8e-14-a9"</span></span><br><span class="line">(4) Cisco-AVPair = <span class="string">"mdm-tlv=device-mac=00-50-56-8e-8a-ac"</span></span><br><span class="line">(4) Cisco-AVPair = <span class="string">"mdm-tlv=device-mac=00-50-56-8e-93-54"</span></span><br><span class="line">(4) Cisco-AVPair = <span class="string">"mdm-tlv=device-type=VMware, Inc. VMware7,1"</span></span><br><span class="line">(4) Cisco-AVPair = <span class="string">"mdm-tlv=device-platform-version=10.0.18362 "</span></span><br><span class="line">(4) Cisco-AVPair = <span class="string">"mdm-tlv=ac-user-agent=AnyConnect Windows 4.6.00362"</span></span><br><span class="line">(4) Cisco-AVPair = <span class="string">"mdm-tlv=device-uid=D7237D73128E45F4F2706858D0F4AC09129E5131839298ACB03D3999125B5FC1"</span></span><br><span class="line">(4) NAS-IP-Address = 192.168.1.254</span><br><span class="line">(4) Cisco-AVPair = <span class="string">"audit-session-id=c0a801fe000080005e60c235"</span></span><br><span class="line">(4) Cisco-AVPair = <span class="string">"ip:source-ip=202.100.1.10"</span></span><br><span class="line">(4) ASA-TunnelGroupName = <span class="string">"DefaultWEBVPNGroup"</span></span><br><span class="line">(4) ASA-ClientType = AnyConnect-Client-SSL-VPN</span><br><span class="line">(4) Cisco-AVPair = <span class="string">"coa-push=true"</span></span><br><span class="line">(4) # Executing section authorize <span class="keyword">from</span> file /etc/raddb/sites-enabled/default</span><br><span class="line">(4) authorize {</span><br><span class="line">(4) <span class="built_in"> policy </span>filter_username {</span><br><span class="line">(4) <span class="keyword">if</span> (&User-Name) {</span><br><span class="line">(4) <span class="keyword">if</span> (&User-Name) -> <span class="literal">TRUE</span></span><br><span class="line">(4) <span class="keyword">if</span> (&User-Name) {</span><br><span class="line">(4) <span class="keyword">if</span> (&User-Name =~ / /) {</span><br><span class="line">(4) <span class="keyword">if</span> (&User-Name =~ / /) -> <span class="literal">FALSE</span></span><br><span class="line">(4) <span class="keyword">if</span> (&User-Name =~ /@[^@]*@/ ) {</span><br><span class="line">(4) <span class="keyword">if</span> (&User-Name =~ /@[^@]*@/ ) -> <span class="literal">FALSE</span></span><br><span class="line">(4) <span class="keyword">if</span> (&User-Name =~ /\.\./ ) {</span><br><span class="line">(4) <span class="keyword">if</span> (&User-Name =~ /\.\./ ) -> <span class="literal">FALSE</span></span><br><span class="line">(4) <span class="keyword">if</span> ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {</span><br><span class="line">(4) <span class="keyword">if</span> ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> <span class="literal">FALSE</span></span><br><span class="line">(4) <span class="keyword">if</span> (&User-Name =~ /\.$/) {</span><br><span class="line">(4) <span class="keyword">if</span> (&User-Name =~ /\.$/) -> <span class="literal">FALSE</span></span><br><span class="line">(4) <span class="keyword">if</span> (&User-Name =~ /@\./) {</span><br><span class="line">(4) <span class="keyword">if</span> (&User-Name =~ /@\./) -> <span class="literal">FALSE</span></span><br><span class="line">(4) } # <span class="keyword">if</span> (&User-Name) = notfound</span><br><span class="line">(4) } #<span class="built_in"> policy </span>filter_username = notfound</span><br><span class="line">(4) [preprocess] = ok</span><br><span class="line">(4) [chap] = noop</span><br><span class="line">(4) [mschap] = noop</span><br><span class="line">(4) [digest] = noop</span><br><span class="line">(4) suffix: Checking <span class="keyword">for</span> suffix after <span class="string">"@"</span></span><br><span class="line">(4) suffix: <span class="literal">No</span> <span class="string">'@'</span> <span class="keyword">in</span> User-Name = <span class="string">"vpnuser"</span>, looking up realm <span class="literal">NULL</span></span><br><span class="line">(4) suffix: <span class="literal">No</span> such realm <span class="string">"NULL"</span></span><br><span class="line">(4) [suffix] = noop</span><br><span class="line">(4) eap: <span class="literal">No</span> EAP-Message, <span class="keyword">not</span> doing EAP</span><br><span class="line">(4) [eap] = noop</span><br><span class="line">(4) files: users: Matched entry<span class="built_in"> DEFAULT </span>at line 69</span><br><span class="line">(4) [files] = ok</span><br><span class="line">(4) [expiration] = noop</span><br><span class="line">(4) [logintime] = noop</span><br><span class="line">(4) pap: WARNING: <span class="literal">No</span> <span class="string">"known good"</span> password found <span class="keyword">for</span> the user. <span class="keyword">Not</span> setting Auth-Type</span><br><span class="line">(4) pap: WARNING: Authentication will fail unless a <span class="string">"known good"</span> password is available</span><br><span class="line">(4) [pap] = noop</span><br><span class="line">(4) } # authorize = ok</span><br><span class="line">(4) Found Auth-Type = pam</span><br><span class="line">(4) # Executing<span class="built_in"> group </span><span class="keyword">from</span> file /etc/raddb/sites-enabled/default</span><br><span class="line">(4) authenticate {</span><br><span class="line">(4) pam: Using pamauth string <span class="string">"radiusd"</span> <span class="keyword">for</span> pam.conf lookup</span><br><span class="line">(4) pam: Authentication succeeded</span><br><span class="line">(4) [pam] = ok</span><br><span class="line">(4) } # authenticate = ok</span><br><span class="line">(4) # Executing section post-auth <span class="keyword">from</span> file /etc/raddb/sites-enabled/default</span><br><span class="line">(4) post-auth {</span><br><span class="line">(4) update {</span><br><span class="line">(4) <span class="literal">No</span> attributes updated</span><br><span class="line">(4) } # update = noop</span><br><span class="line">(4) [exec] = noop</span><br><span class="line">(4) <span class="built_in"> policy </span>remove_reply_message_if_eap {</span><br><span class="line">(4) <span class="keyword">if</span> (&reply:EAP-Message && &reply:Reply-Message) {</span><br><span class="line">(4) <span class="keyword">if</span> (&reply:EAP-Message && &reply:Reply-Message) -> <span class="literal">FALSE</span></span><br><span class="line">(4) <span class="keyword">else</span> {</span><br><span class="line">(4) [noop] = noop</span><br><span class="line">(4) } # <span class="keyword">else</span> = noop</span><br><span class="line">(4) } #<span class="built_in"> policy </span>remove_reply_message_if_eap = noop</span><br><span class="line">(4) } # post-auth = noop</span><br><span class="line">(4) Sent Access-Accept Id 8 <span class="keyword">from</span> 192.168.1.10:1812 <span class="keyword">to</span> 192.168.1.254:30861 length 0</span><br><span class="line">(4) Finished request</span><br><span class="line">Waking up <span class="keyword">in</span> 4.9 seconds.</span><br><span class="line">(4) Cleaning up request packet ID 8 with timestamp +608</span><br><span class="line">Ready <span class="keyword">to</span> process requests</span><br></pre></td></tr></table></figure>
</li>
</ul>
</div>
<footer class="post-footer">
<div class="post-tags">
<a href="/tags/Cisco-ASAv/" rel="tag"># Cisco ASAv</a>
<a href="/tags/AnyConnect/" rel="tag"># AnyConnect</a>
<a href="/tags/FreeRADIUS/" rel="tag"># FreeRADIUS</a>
<a href="/tags/Google-Authenticator/" rel="tag"># Google Authenticator</a>
</div>
<div class="post-nav">
<div class="post-nav-item">
<a href="/WLC-HA-%E5%8D%87%E7%BA%A7%E6%AD%A5%E9%AA%A4.html" rel="prev" title="WLC HA 升级步骤">
<i class="fa fa-chevron-left"></i> WLC HA 升级步骤
</a></div>
<div class="post-nav-item">
<a href="/hello-world.html" rel="next" title="Hello World">
Hello World <i class="fa fa-chevron-right"></i>
</a></div>
</div>
</footer>
</article>
</div>
</div>
<div class="comments" id="valine-comments"></div>
<script>
window.addEventListener('tabs:register', () => {
let { activeClass } = CONFIG.comments;
if (CONFIG.comments.storage) {
activeClass = localStorage.getItem('comments_active') || activeClass;
}
if (activeClass) {
let activeTab = document.querySelector(`a[href="#comment-${activeClass}"]`);
if (activeTab) {
activeTab.click();
}
}
});
if (CONFIG.comments.storage) {
window.addEventListener('tabs:click', event => {
if (!event.target.matches('.tabs-comment .tab-content .tab-pane')) return;
let commentClass = event.target.classList[1];
localStorage.setItem('comments_active', commentClass);
});
}
</script>
</div>
<div class="toggle sidebar-toggle">
<span class="toggle-line toggle-line-first"></span>
<span class="toggle-line toggle-line-middle"></span>
<span class="toggle-line toggle-line-last"></span>
</div>
<aside class="sidebar">
<div class="sidebar-inner">
<ul class="sidebar-nav motion-element">
<li class="sidebar-nav-toc">
文章目录
</li>
<li class="sidebar-nav-overview">
站点概览
</li>
</ul>
<!--noindex-->
<div class="post-toc-wrap sidebar-panel">
<div class="post-toc motion-element"><ol class="nav"><li class="nav-item nav-level-2"><a class="nav-link" href="#一、环境介绍"><span class="nav-text">一、环境介绍</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#二、CentOS8-环境设置"><span class="nav-text">二、CentOS8 环境设置</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#三、FreeRADIUS-安装及配置"><span class="nav-text">三、FreeRADIUS 安装及配置</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#3-1-FreeRADIUS安装"><span class="nav-text">3.1 FreeRADIUS安装</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#3-2-FreeRADIUS修改配置文件"><span class="nav-text">3.2 FreeRADIUS修改配置文件</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#3-3-FreeRADIUS-服务测试"><span class="nav-text">3.3 FreeRADIUS 服务测试</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#四、SSSD安装配置"><span class="nav-text">四、SSSD安装配置</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#五、安装和配置Google-Authenticator-PAM"><span class="nav-text">五、安装和配置Google Authenticator PAM</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#5-1-安装Google-Authenticator"><span class="nav-text">5.1 安装Google Authenticator</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#5-2-账号开启双因素认证"><span class="nav-text">5.2 账号开启双因素认证</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#5-3-修改pam配置文件,并测试AD账号加动态码登录radius。"><span class="nav-text">5.3 修改pam配置文件,并测试AD账号加动态码登录radius。</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#六、ASAv-AnyConnect-配置"><span class="nav-text">六、ASAv AnyConnect 配置</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#6-1-ASAv初始化配置"><span class="nav-text">6.1 ASAv初始化配置</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#6-2-ASAv上传AnyConnect镜像"><span class="nav-text">6.2 ASAv上传AnyConnect镜像</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#6-3-Cisco-ASAv-AnyConnect本地认证配置。"><span class="nav-text">6.3 Cisco ASAv AnyConnect本地认证配置。</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#6-4-AnyConnect本地账号登录测试"><span class="nav-text">6.4 AnyConnect本地账号登录测试</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#6-5-freeradius配置和测试"><span class="nav-text">6.5 freeradius配置和测试</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#6-6-使用-AD账号-动态码-登录AnyConnect"><span class="nav-text">6.6 使用 AD账号+动态码 登录AnyConnect</span></a></li></ol></li></ol></div>
</div>
<!--/noindex-->
<div class="site-overview-wrap sidebar-panel">
<div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
<img class="site-author-image" itemprop="image" alt="Liu Qianglong"
src="/images/me.jpg">
<p class="site-author-name" itemprop="name">Liu Qianglong</p>
<div class="site-description" itemprop="description"></div>
</div>
<div class="site-state-wrap motion-element">
<nav class="site-state">
<div class="site-state-item site-state-posts">
<a href="/archives/">
<span class="site-state-item-count">5</span>
<span class="site-state-item-name">日志</span>
</a>
</div>
<div class="site-state-item site-state-categories">
<a href="/categories/">
<span class="site-state-item-count">5</span>
<span class="site-state-item-name">分类</span></a>
</div>
<div class="site-state-item site-state-tags">
<a href="/tags/">
<span class="site-state-item-count">9</span>
<span class="site-state-item-name">标签</span></a>
</div>
</nav>
</div>
<div class="links-of-author motion-element">
<span class="links-of-author-item">
<a href="https://github.com/crosswk" title="GitHub → https://github.com/crosswk" rel="noopener" target="_blank"><i class="fa fa-fw fa-github"></i>GitHub</a>
</span>
<span class="links-of-author-item">
<a href="/[email protected]" title="E-Mail → [email protected]"><i class="fa fa-fw fa-envelope"></i>E-Mail</a>
</span>
</div>
</div>
</div>
</aside>
<div id="sidebar-dimmer"></div>
</div>
</main>
<footer class="footer">
<div class="footer-inner">
<script async src="https://dn-lbstatics.qbox.me/busuanzi/2.3/busuanzi.pure.mini.js"></script>
<div class="copyright">
©
<span itemprop="copyrightYear">2020</span>
<span class="with-love">
<i class="fa fa-user"></i>
</span>
<span class="author" itemprop="copyrightHolder">Liu Qianglong</span>
</div>
<!--
<div class="powered-by">由 <a href="https://hexo.io/" class="theme-link" rel="noopener" target="_blank">Hexo</a> 强力驱动 v4.0.0
</div>
<span class="post-meta-divider">|</span>
<div class="theme-info">主题 – <a href="https://pisces.theme-next.org/" class="theme-link" rel="noopener" target="_blank">NexT.Pisces</a> v7.7.2
</div>
-->
<div class="busuanzi-count">
<script async src="https://busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script>
<span class="post-meta-item" id="busuanzi_container_site_uv" style="display: none;">
<span class="post-meta-item-icon">
<i class="fa fa-user"></i>
</span>
<span class="site-uv" title="总访客量">
<span id="busuanzi_value_site_uv"></span>
</span>
</span>
<span class="post-meta-divider">|</span>
<span class="post-meta-item" id="busuanzi_container_site_pv" style="display: none;">
<span class="post-meta-item-icon">
<i class="fa fa-eye"></i>
</span>
<span class="site-pv" title="总访问量">
<span id="busuanzi_value_site_pv"></span>
</span>
</span>
</div>
</div>
</footer>
</div>
<script src="/lib/anime.min.js"></script>
<script src="/lib/velocity/velocity.min.js"></script>
<script src="/lib/velocity/velocity.ui.min.js"></script>
<script src="/js/utils.js"></script><script src="/js/motion.js"></script>
<script src="/js/schemes/pisces.js"></script>
<script src="/js/next-boot.js"></script>
<script>
(function(){
var bp = document.createElement('script');
var curProtocol = window.location.protocol.split(':')[0];
bp.src = (curProtocol === 'https') ? 'https://zz.bdstatic.com/linksubmit/push.js' : 'http://push.zhanzhang.baidu.com/push.js';
var s = document.getElementsByTagName("script")[0];
s.parentNode.insertBefore(bp, s);
})();
</script>
<script src="/js/local-search.js"></script>
<script>
NexT.utils.loadComments(document.querySelector('#valine-comments'), () => {
NexT.utils.getScript('//unpkg.com/valine/dist/Valine.min.js', () => {
var GUEST = ['nick', 'mail', 'link'];
var guest = 'nick,mail,link';
guest = guest.split(',').filter(item => {
return GUEST.includes(item);
});
new Valine({
el : '#valine-comments',
verify : false,
notify : false,
appId : 'stf5rGD17bcrWN1mvUT4pu8C-gzGzoHsz',
appKey : 'r5qpzBWMAzt2hDAcDftecM1R',
placeholder: "Just go go",
avatar : 'mm',
meta : guest,
pageSize : '10' || 10,
visitor : false,
lang : '' || 'zh-cn',
path : location.pathname,
recordIP : false,
serverURLs : ''
});
}, window.Valine);
});
</script>
</body>
</html>