Two factor authentication with OTP using privacyIDEA and FreeRADIUS on CentOS

In this howto we will show, how you can set up a the two factor authentication and management system privacyIDEA on Cent OS 6.5. privacyIDEA is a system that can manage authentication devices - especially OTP tokens of any kind.

We will set up the system to be served via Apache2, store the token information in a MySQL database and provide authentication via FreeRADIUS server, thus being able to add two factor authentication to all services accessible via RADIUS like SSL VPNs and pam_radius.

Prerequisites

We need some special perl modules to run the connection between FreeRADIUS and privacyIDEA, which can be found in EPEL. So we need to install the EPEL repositories:

wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
rpm -Uvh epel-release-6*.rpm

Install dependencies

Install the necessary packages:

yum install -y mysql-server httpd mod_wsgi mod_ssl python-devel gcc mysql-devel libjpeg-devel freeradius freeradius-utils freeradius-perl openldap-devel perl-libwww-perl perl-Config-IniFiles perl-Try-Tiny perl-Data-Dump python-virtualenv

Configure the services to be started at bootup:

/sbin/chkconfig radiusd on 
/sbin/chkconfig mysqld on 
/sbin/chkconfig httpd on

Create database

Now we create a database privacyidea that will hold the token data. We choose the database password unknown:

/etc/init.d/mysqld restart
echo 'create database privacyidea;' | mysql
echo 'grant all privileges on privacyidea.* to "privacyidea"@"localhost" identified by "unknown";' | mysql

Create the virtual python environment and install privacyIDEA

privacyIDEA will be installed to a virtualenv at /opt/privacyIDEA. Thus we can use all the python modules that are needed and can simply backup the complete folder.

virtualenv /opt/privacyIDEA

Now we enter the virtual environment and install privacyIDEA:

cd /opt/privacyIDEA
source bin/activate
pip install privacyIDEA
pip install MySQL-python

Create config files

Still in the python virtualenv we create a service account and some config files:

mkdir -p /var/log/privacyidea
useradd -r privacyidea -d /opt/privacyIDEA

Create ini file

The ini file contains the configuration of the database and some other basic stuff. We copy the following file to /opt/privacyIDEA/etc/privacyidea/privacyidea.ini:

# privacyIDEA - Pylons development environment configuration
#
# The %(here)s variable will be replaced with the parent directory of this file
#
[DEFAULT]
debug = false
profile = false
# Uncomment and replace with the address which should receive any error reports
#email_to = [email protected]
smtp_server = localhost
error_email_from = paste@localhost

# default audit trail set to SQL Audit
privacyideaAudit.type = privacyidea.lib.auditmodules.sqlaudit
privacyideaAudit.key.private = %(here)s/private.pem
privacyideaAudit.key.public = %(here)s/public.pem
#privacyideaAudit.sql.url = mysql://privacyidea:privacyidea@localhost/privacyidea
#privacyideaAudit.sql.url = sqlite:///%(here)s/token.sqlite
# One entry for SQL audit might take about 1K
privacyideaAudit.sql.highwatermark = 10000
#privacyideaAudit.sql.lowwatermark = 5000
# If true, OTP values can be retrieved via the getotp controller
privacyideaGetotp.active = True
privacyideaSecretFile = %(here)s/encKey
# This file contains the token administrators. 
# It can be created like this:
# % tools/privacyidea-create-pwidresolver-user -u admin -p test -i 1000 >> config/admin-users
privacyideaSuperuserFile = %(here)s/admin-users
# list of realms, that are admins
privacyideaSuperuserRealms = superuser, 2ndsuperusers
privacyIDEASessionTimout = 1200
# This is the server, where this system is running.
# This is need to issue a request during login to the 
# management with an OTP token.
privacyideaURL = https://localhost
#
# This determines if the SSL certificate is checked during the login to 
# privacyIDEA. Set to True, if you have a self signed certificate.
privacyideaURL.disable_ssl = False
#privacyidea.useridresolver = privacyidea.lib.resolvers.PasswdIdResolver.IdResolver
# This is only used for testnig purposes for running the selftests.
#privacyidea.selfTest = True
# These are the settings for the RADIUS Token
# The location of the RADIUS dictionary file
radius.dictfile= %(here)s/dictionary
# The NAS Identifier of your privacyIDEA server, 
# that is sent to the RADIUS server
radius.nas_identifier = privacyIDEA
[server:main]
use = egg:Paste#http
#host = 172.16.200.100
host = 0.0.0.0
#host = localhost
port = 5001
#ssl_pem = *
[app:main]
use = egg:privacyIDEA
sqlalchemy.url = mysql://privacyidea:unknown@localhost/privacyidea
#sqlalchemy.url = sqlite:///%(here)s/token.sqlite
sqlalchemy.pool_recycle = 3600
full_stack = true
static_files = true
# We do not need a who.config, since we do the config in the
# code at config/middleware.py
#who.config_file = %(here)s/who.ini
who.log_level = debug
who.log_file = /var/log/privacyidea/privacyidea.log

cache_dir = %(here)s/data
custom_templates = %(here)s/custom-templates/
#beaker.session.key = privacyidea
#beaker.session.secret = somesecret
# If you'd like to fine-tune the individual locations of the cache data dirs
# for the Cache data, or the Session saves, un-comment the desired settings
# here:
#beaker.cache.data_dir = %(here)s/data/cache
#beaker.session.data_dir = %(here)s/data/sessions

#
#  Note: You should change the Logging Level from DEGUB to WARN
#
# Logging configuration
[loggers]
keys = root, privacyidea, sqlalchemy
#keys = root, privacyidea, sqlalchemy, controllers
[logger_root]
level = WARNING
handlers = file
[logger_privacyidea]
level = INFO
handlers = file
qualname = privacyidea
#[logger_controllers]
#level = DEBUG
#handlers = file
#qualname = privacyidea.controllers.account
[logger_sqlalchemy]
level = ERROR
handlers = file
qualname = sqlalchemy.engine
# "level = INFO" logs SQL queries.
# "level = DEBUG" logs SQL queries and results.
# "level = WARN" logs neither.  (Recommended for production systems.)
[handlers]
keys = file
[handler_file]
class = handlers.RotatingFileHandler
# Make the logfiles 10 MB
# and rotate 4  files
#args = ('%(here)s/privacyidea.log','a', 10000000, 4)
#
# Please note, that the %(here)s parameter will not work, when
# running in wsgi.
args = ('/var/log/privacyidea/privacyidea.log','a', 10000000, 4)
level = INFO
formatter = generic
[formatters]
keys = generic
[formatter_generic]
class = privacyidea.lib.log.SecureFormatter
format = %(asctime)s %(levelname)-5.5s {%(thread)d} [%(name)s][%(funcName)s #%(lineno)d] %(message)s
datefmt = %Y/%m/%d - %H:%M:%S

Create encryption key and signing keys

privacyidea-create-enckey -f /opt/privacyIDEA/etc/privacyidea/privacyidea.ini
privacyidea-create-auditkeys -f /opt/privacyIDEA/etc/privacyidea/privacyidea.ini

Create database tables

mkdir -p /var/log/privacyidea
paster setup-app /opt/privacyIDEA/etc/privacyidea/privacyidea.ini

Create admin user

Now we create the first admin user, that can log in to the privacyIDEA management:

privacyidea-create-pwidresolver-user -u admin -i 1000 >> /opt/privacyIDEA/etc/privacyidea/admin-users

Enter a password and remember it.

Setup Apache

privacyIDEA is a python application that is run via the WSGI module. This modules needs an additional run directory. We create it:

mkdir -p /var/run/wsgi

WSGI does not play well with SELinux. So for starters we need to disable the enforcing. In the file /etc/selinux/config we need to change this:

SELINUX=permissive

...and reboot the system to enable this.

After the reboot we again enter the virtualenv.

cd /opt/privacyIDEAy
source bin/activate

Apache config

In the apache directory /etc/httpd/conf.d we need to edit two files:

ssl.conf, which activates ssl:

LoadModule ssl_module modules/mod_ssl.so
Listen 443
SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

and privacyidea.conf, which is the configuration of the virtual host.

A script will help you to create the server certificate:

privacyidea-create-certificate -f /etc/httpd/conf.d/privacyidea.conf

Fix access rights

During the setup process the files were generated for user root. But we will run privacyIDEA in Apache with the service account privacyidea. So we need to change the acccess rights of these files. A script helps us with this task:

privacyidea-fix-access-rights -f /opt/pirvacyIDEA/etc/privacyidea/privacyidea.ini -u privacyidea

Then we need to restart the apache service:

service httpd restart

Firewalling

The https port 443 might be closed. We can open it like this:

iptables -I INPUT 4 -p tcp --dport 443 -j ACCEPT
service iptables save

Now we can access the management UI via https on the server and create useridresolvers, a realm and enroll the first tokens. Another tutoral explains how to do this.

Setup FreeRADIUS

The privacyIDEA github repo contains a FreeRADIUS plugin, that is not yet contained in the privacyIDEA 1.1 release. So we need to copy it manually:

curl -o /opt/privacyIDEA/privacyidea_radius.pm https://raw.githubusercontent.com/privacyidea/privacyidea/master/authmodules/FreeRADIUS/privacyidea_radius.pm

Configuration

In the file /etc/radddb/users we need the following entry:

DEFAULT Auth-Type := perl

This sets the auth-type for every request to perl. Thus the request will be handled by the perl module.

Therefor the file /etc/raddb/modules/perl needs to look like this:

perl {
   module = /opt/privacyIDEA/privacyidea_radius.pm
}

Remember to configure your file /etc/raddb/clients.conf according to your needs. You can at least add the localhost for testing purposes:

client 127.0.0.1/32 {
shortname = local
secret = topsecret
}

Finally we need to create a file /etc/raddb/sites-available/privacyidea, that in the importand sections authorize and authenticate looks like this:

authorize {
        preprocess
        chap
        mschap
        digest
	suffix
	eap {
		ok = return
	}
	files
	expiration
	logintime
	pap
}
authenticate {
	perl
	Auth-Type PAP {
		pap
	}
	Auth-Type CHAP {
		chap
	}
	Auth-Type MS-CHAP {
		mschap
	}
	digest
	unix
	eap
}

(roughly we only added "perl" to the authenticate section ;-)

You can also download the file here.

We enable the site privacyidea by linking from sites-available to sites-enabled.

ln -s /etc/raddb/sites-available/privacyidea /etc/raddb/sites-enabled

We should delete the other sites in sites-enabled.

Testing RADIUS

To test the RADIUS configuration, we stop the FreeRADIUS and start it in debug output mode:

service radiusd stop
radiusd -X

Then we use the radclient command for testing:

echo "User-Name=user, Password=pin123456" | radclient -sx localhost auth topsecret

The output will display the total approved or denied auths.

In the FreeRADIUS ouput we can see a line like this for a successful authentication:

rlm_perl: privacyIDEA access granted

Questions? Answers!

If you run into any problems drop me a note or you can also ask on the Google group.

Log in or Sign up

On this page