FreeRadius+GoogleAuthenticator+华为sslvpn动态口令认证登录

1. 手机安装google身份验证器

安卓手机：https://google-authenticator./android/download

苹果手机：应用商城下载google authenticator

2. centos服务器yum源更换成阿里的镜像源

cd /etc/yum.repos.d/wget /repo/Centos-7.repoyum clean allyum makecache

3. NTP安装

由于Google Authenticator依赖于时间，所以服务器系统时间必须正确。

yum install ntp -ysystemctl enable ntpd --now

4. Google Authenticator Pam安装配置

yum install git pam-devel libtool -ygit clone /google/google-authenticator-libpam.gitcd google-authenticator-libpam/./bootstrap.sh./configuremake -j && make installln -s /usr/local/lib/security/pam_google_authenticator.so /usr/lib64/security/pam_google_authenticator.soecho 'LD_LIBRARY_PATH=/usr/local/lib/security:$LD_LIBRARY_PATH' >> /etc/profileecho 'LD_RUN_PATH=/usr/local/lib/security:$LD_RUN_PATH' >> /etc/profilesource /etc/profile

5. FreeRadius安装配置

安装：

yum install freeradius freeradius-utils -y

配置：

/etc/pam.d/radiusd

vim /etc/pam.d/radiusd#%PAM-1.0#auth includepassword-authauth requisite pam_google_authenticator.so forward_passaccount requiredpam_nologin.soaccount includepassword-authpassword includepassword-authsession includepassword-auth

/etc/raddb/radiusd.conf

vim /etc/raddb/radiusd.confuser = radiusdgroup = radiusd#改成user = rootgroup = root

/etc/raddb/users

vim /etc/raddb/users注释所有行，添加以下3行DEFAULT Group == "disabled", Auth-Type := RejectReply-Message = "Your account has been disabled."DEFAULT Auth-Type := PAM

/etc/raddb/sites-enabled/default

vim /etc/raddb/sites-enabled/defaultauthenticate {...# Pluggable Authentication Modules# pam...}#取消pam行前面的注释

ln -s /etc/raddb/mods-available/pam /etc/raddb/mods-enabled/pam

/etc/raddb/clients.conf

mv /etc/raddb/clients.conf /etc/raddb/clients.conf.bakvim /etc/raddb/clients.confclient network {ipaddr = 0.0.0.0netmask = 0secret = testing123proto = *shortname = networkrequire_message_authenticator = nonas_type = other}

6. 测试认证

centos新建san.zhang测试账号

useradd san.zhangsu - san.zhang

启用GoogleAuthenticator，使用google身份验证器扫描二维码

google-authenticatorDo you want authentication tokens to be time-based (y/n) y使用Google身份验证器扫描二维码Enter code from app (-1 to skip): -1Do you want me to update your "/home/san.zhang/.google_authenticator" file? (y/n) yDo you want to disallow multiple uses of the same authenticationtoken? This restricts you to one login about every 30s, but it increasesyour chances to notice or even prevent man-in-the-middle attacks (y/n) yBy default, a new token is generated every 30 seconds by the mobile app.In order to compensate for possible time-skew between the client and the server,we allow an extra token before and after the current time. This allows for atime skew of up to 30 seconds between authentication server and client. If youexperience problems with poor time synchronization, you can increase the windowfrom its default size of 3 permitted codes (one previous code, the currentcode, the next code) to 17 permitted codes (the 8 previous codes, the currentcode, and the 8 next codes). This will permit for a time skew of up to 4 minutesbetween client and server.Do you want to do so? (y/n) nIf the computer that you are logging into isn't hardened against brute-forcelogin attempts, you can enable rate-limiting for the authentication module.By default, this limits attackers to no more than 3 login attempts every 30s.Do you want to enable rate-limiting? (y/n) y

启动radius服务

systemctl enable radiusd --now或者：radiusd -X

登陆华为防火墙：

点击"对象" -> "认证服务器" -> "RADIUS" -> "新建"

点击 "检测"后开始检测，密码是Google身份验证器的动态口令。

点击 "对象" -> "用户" -> "认证域 " -> "新建"

点击 "对象" -> "用户" -> "vpnuser"

sslvpn用户授权配置

使用SeciClient登陆sslvpn