As cybersecurity threats increase, traditional usernames and passwords have become less secure. To enhance the security of network access, two-factor authentication has become a popular and effective solution. In this article, we will introduce how to install and configure Freeradius and Google Authenticator on Ubuntu 22.04 to implement two-factor authentication in an existing Windows AD environment to provide network access server authentication, authorization and account information. .
- Freeradius is a powerful open source AAA (Authentication, Authorization, Accounting) server for network access control and user authentication.
- Google Authenticator is a two-factor authentication service provided by Google that provides an additional layer of security to ensure user identity confirmation when logging in and accessing online services.
- The LDAP service provided by Windows AD is based on the Lightweight Directory Access Protocol and is used to manage and access information such as users, organizational structure, and resources in Windows Active Directory.
lab environment:
Windows AD (existing): Provides LDAP service as a repository for user information.
Ubuntu 22.04: Will be used to install and configure Freeradius and Google Authenticator.
Here are the implementation steps:
Step one: Install Freeradius and Google Authenticator and related software on Ubuntu 22.04.
apt update & amp; & amp; apt upgrade -y
apt-get install freeradius freeradius-common freeradius-utils freeradius-ldap libpam-google-authenticator -y
root@ud-Virtual-Machine:/home/ud# freeradius -v
radiusd: FreeRADIUS Version 3.0.26, for host x86_64-pc-linux-gnu, built on Jan 4 2023 at 03:23:09
FreeRADIUS Version 3.0.26
Copyright (C) 1999-2021 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
root@ud-Virtual-Machine:/home/ud# google-authenticator -h
google-authenticator [<options>]
-h, --help Print this message
-c, --counter-based Set up counter-based (HOTP) verification
-C, --no-confirm Don't confirm code. For non-interactive setups
-t, --time-based Set up time-based (TOTP) verification
-d, --disallow-reuse Disallow reuse of previously used TOTP tokens
-D, --allow-reuse Allow reuse of previously used TOTP tokens
-f, --force Write file without first confirming with user
-l, --label=<label> Override the default label in "otpauth://" URL
-i, --issuer=<issuer> Override the default issuer in "otpauth://" URL
-q, --quiet Quiet mode
-Q, --qr-mode={<!-- -->NONE,ANSI,UTF8} QRCode output mode
-r, --rate-limit=N Limit logins to N per every M seconds
-R, --rate-time=M Limit logins to N per every M seconds
-u, --no-rate-limit Disable rate-limiting
-s, --secret=<file> Specify a non-standard file location
-S, --step-size=S Set interval between token refreshes
-w, --window-size=W Set window of concurrently valid codes
-W, --minimal-window Disable window of concurrently valid codes
-e, --emergency-codes=N Number of emergency codes to generate
Step 2: Configure Freeradius and Google Authenticator.
1. The first configuration file edited is the /etc/freeradius/3.0/radiusd.conf file
# SECURITY CONFIGURATION
security {<!-- -->
# user/group: The name (or #number) of the user/group to run radiusd as.
user=root
group=root
}
2. The FreeRadius configuration file that needs to be edited is /etc/freeradius/3.0/sites-enabled/default. This file tells FreeRADIUS how to use PAM for authorization and authentication.
3. The above configuration snippet uses a new filter (“filter_google_otp”) defined in /etc/freeradius/3.0/policy.d/filter which helps to remove passwords from Extract the 6-digit TOTP.
4. Since we are using a new attribute (“Google-Password”) the name does not make sense in the protocol. Therefore, add the new properties to the /etc/freeradius/3.0/dictionary file as shown below.
5. Set up the FreeRadius client. Here /etc/freeradius/3.0/clients.conf, we can set up the client (for example: network device or server) to connect to the RADIUS server. key. Please make sure to change the default key to a different one for better security, the following configuration is for testing purposes only. 
6. Start configuring the freeradius LDAP module to connect to the LDAP server. Edit the file /etc/freeradius/3.0/mods-available/ldap, the content is as follows.
7. Since we configured FreeRADIUS to use PAM + LDAP to authenticate users, we need to configure the /etc/pam.d/radiusd file and instruct it to integrate Google Authenticator PAM. Please follow the configuration below and comment out the remaining lines. 
8. After configuration, enable the LDAP module and PAM module by executing the following commands.
ln -s /etc/freeradius/3.0/mods-available/ldap /etc/freeradius/3.0/mods-enabled/ ln -s /etc/freeradius/3.0/mods-available/pam /etc/freeradius/3.0/mods-enabled/
9. Modify the systemd service unit file of the FreeRADIUS service /lib/systemd/system/freeradius.service
# Ensure the daemon can still write its pidfile after it drops # privileges. Combination of options that work on a variety of # systems. Test very carefully if you alter these lines. RuntimeDirectory=freeradius RuntimeDirectoryMode=0775 User=root Group=root
10. When all configuration files have been changed, the service needs to be restarted for the changes to take effect. You can execute the following command to restart the FreeRadius service.
systemctl daemon-reload systemctl restart freeradius.service
Step 3: Test
Before starting the test, you need to create the LDAP user Google Authenticator and save it in the /google_auth folder.
a. Create vim add-otp-user
#!/bin/bash
if [ -z $1 ]; then
echo "Usage: add_otp_user USERNAME"
exit 1
fi
# Ensure the otp folder is present
[ -d /google_auth ] || mkdir -p /google_auth
google-authenticator \
--time-based \
--disallow-reuse \
--force \
--rate-limit=3 \
--rate-time=30 \
--window-size=3 \
-s /google_auth/${1}.google_authenticator
b. Empowerment
chmod -v + x add-otp-user
c. Run script to add user Google Auth key
#Add OTP [where username matches the LDAP username] bash ./add-otp-user <username>
d. Test whether all configurations are successful
#Command Syntax radtest <username> <password + google authenticator TOTP> localhost 1812 <RADIUS secret key> #Example: radtest use01 ldapuserpassword123456 localhost 1812 testing123#
By implementing the above steps, you can add an extra layer of security to your Radius service. Two-factor authentication not only provides stronger identity authentication, but also reduces the risk of identity theft and unauthorized access. However, it is important to note that two-factor authentication does not guarantee 100% security. Other security measures such as using strong passwords, changing passwords regularly, updating systems regularly and conducting security audits are equally important. Only by comprehensively adopting multiple security strategies can we effectively protect the data security of the system and users.
By combining the power of Freeradius, Google Authenticator, and LDAP, you can easily implement two-factor authentication and improve the security of your system. Continuously pay attention to and adopt the latest security technology to protect your network from malicious intrusions and data leakage threats. For the security of your systems and users, it’s worth investing some time and effort in implementing two-factor authentication!