Hello, I want to share my experience with LinOTP and give an example of strong authentication using LinOTP + FreeRADIUS and Wallix Bastion.
LinOTP is an enterprise-grade flexible open source platform for strong authentication.
Wallix Bastion is a Privileged Access Management (PAM) solution.
Habrรฉ already has some articles about LinOTP - 1 , 2 . Here we use new versions of OS and products, and also go through the setup from start to finish, let's go ..
What we use:
LinOTP 2.12.3
Debian 10 ( Also Supported )
FreeRADIUS 3
Wallix bastion 8
Add the linotp.org repository:
1. Installation of LinOTP
Add the linotp.org repository:
echo 'deb http://www.linotp.org/apt/debian buster linotp linotp-deps' > /etc/apt/sources.list.d/linotp.list
To verify the package, import the package signing key:
apt-get install dirmngr
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 913DFF12F86258E5
Install the database ( supported databases ):
apt-get update
apt-get install mariadb-server
mysql_secure_installation
Finally, install LinOTP:
apt-get install linotp
2. Integration with Active Directory
You can reach the LinOTP web admin by following the link: https: // <linotp_ip> / manage
Go to LinotpConfig -> UserIdResolvers and create a new UserIdResolver, choosing the LDAP type :
Now you have to add the Realm - give it a name and specify the LDAP Resolver you just created.
UserIdResolver- ยซยป, LinOTP. Realm-e UserIdResolver- (multitenancy, ).
User View.
3. LinOTP FreeRADIUS
FreeRADIUS :
apt-get install linotp-adminclient-cli python-ldap freeradius python-passlib python-bcrypt git libio-all-lwp-perl libconfig-file-perl libtry-tiny-perl
freeradius:
ln -s /etc/freeradius/3.0/sites-available /etc/freeradius/sites-available
ln -s /etc/freeradius/3.0/sites-enabled /etc/freeradius/sites-enabled
ln -s /etc/freeradius/3.0/clients.conf /etc/freeradius/clients.conf
ln -s /etc/freeradius/3.0/users /etc/freeradius/users
linotp-auth-freeradius-perl:
git clone https://github.com/LinOTP/linotp-auth-freeradius-perl.git
cd linotp-auth-freeradius-perl/
cp radius_linotp.pm /usr/share/linotp/radius_linotp.pm
:
nano /etc/freeradius/sites-enabled/linotp
server linotp {
listen {
ipaddr = *
port = 1812
type = auth
}
listen {
ipaddr = *
port = 1813
type = acct
}
authorize {
preprocess
update {
&control:Auth-Type := Perl
}
}
authenticate {
Auth-Type Perl {
perl
}
}
accounting {
unix
}
}
sites-enabled linotp:
ls /etc/freeradius/sites-enabled
linotp
RADIUS-. Wallix Bastion:
nano /etc/freeradius/clients.conf
client Wallix { ipaddr = 192.168.10.10 secret = your_secret }
perl :
nano /etc/freeradius/users
DEFAULT Auth-type := perl
nano /etc/freeradius/3.0/mods-available/perl
perl { filename = /usr/share/linotp/radius_linotp.pm func_authenticate = authenticate func_authorize = authorize }
mods-enabled eap:
ln -s /etc/freeradius/3.0/mods-available/perl /etc/freeradius/3.0/mods-enabled/perl
rm /etc/freeradius/3.0/mods-enabled/eap
, Radius:
nano /etc/linotp2/rlm_perl.ini
URL=https://<Linotp_ip>/validate/simplecheck REALM=realm1 RESCONF=resolver1 Debug=True SSL_CHECK=False
4.
. LinOTP selfservice , .
LinOTPConfig > policies . TOTP, Google Authenticator, :
URL : https://<LINOTP_ip> https://<LINOTP_ip> /selfservice/login
5. Wallix Bastion
Wallix Bastion , -, .
Configuration> External authentication - RADIUS. Secret , freeRADIUS.
LDAP/AD domains ( , ) , LinOTP. Secondary authentication linotp . :
Wallix Bastion , LinOTP.
6. Troubleshoot.
If something doesn't work, you can look for errors:
RADIUS logs:
/var/log/freeradius/radius.log
LinOTP logs:
/var/log/linotp/linotp.log
You can check the token as follows:
https://<yourlinotpserver>/validate/check?user=<login>&pass=<OTPvalue>
Instead of output
In this article, we have configured the local platform of the second authentication factor - LinOTP and screwed it to the Wallix Bastion solution with FreeRADIUS as a connector.
My article is in English. - medium
Thank you for your time, I hope the information was helpful.