Horizon View 2-factor Authentication for Free! with Google Authenticator or others

So after quite a bit of work on my proof of concept google authenticator server, a colleague pointed out that LinOPT has already created this, along a whole slew of other options. So after spending a couple of nights reading and testing I figured id post a simple walk-through to get this up and running in your environment.

As mentioned in the title this is a Free solution , however if you are wanting to scale this in a large organization you would most likely want to explore their support contracts, this is a good fall back when things just don't work and this also help the developers keep this type of software free for the rest of us.

To start off we want to create 2 objects in Active Director. The first is just a standard user account LinOTP will use to connect to your domain. You can put these any where in your domain as we will access them directly later. In my case i create one called 'LinOTP Svc' and put it in the default Users OU.

Next create a Global or Universal Security group that will contain users allowed to use LinOTP , I also put this directly in the Users OU just for simplicity.

Add some test users to this group.

There are a limited set of Linux distros supported out of the box by LinOTP, I have chosen to use Debain 8.9 (jessie) for this walk-through.

Gab an iso from https://www.debian.org/releases/jessie/debian-installer/
or for a direct link to the network based install go here:
https://cdimage.debian.org/cdimage/archive/8.9.0/amd64/iso-cd/debian-8.9.0-amd64-netinst.iso

There are a ton of installation docs out there on installing debain so im not going to touch that here, but the two main things you want to select during the install are the Utilit\tools option and OpenSSH. That's it.

once the install completes and you reboot, ssh into your server with putty (or your prefered ssh client).

run the following commainds
su

apt-get update
apt-get install open-vm-tools

reboot

During the reboot you will loose connectivity, so you will need to reconnect.

after you connect again, run the following:
su



nano /etc/network/interfaces

Through this guide i will be using nano instead of vi, for some reason vi and putty specifically on Debain act funny for me, so nano is just as good.

Change the network interface from dhcp to static, here is an example:

iface eth0 inet static
address 172.16.2.11
netmask 255.255.240.0

gateway 172.16.0.1

In nano hit Ctl+X to exit, then hit Y to save.


nano /etc/resolv.conf

add your dns servers to the file
nameserver yourdnsserverip
nameserver yourdnsserverip

Save and close the file

We want to make sure you have a host name set
cat /etc/hosts
an example from my host file

127.0.1.1 linotp.view.lab linotp

Lets reboot one more time
reboot

reconnect, run su to become root again
now run the following to add linotp to our sources:

echo 'deb http://www.linotp.org/apt/debian jessie linotp' > /etc/apt/sources.list.d/linotp.list
gpg --search-keys 913DFF12F86258E5

select #1

gpg --export 913DFF12F86258E5 | apt-key add -
apt-get install mysql-server

The mysql server setup will prompt you for a mysql root password, create one and enter it twice, should be different then your Debain root password.
mysql will finish installing.
once this completes we will update our sources and install linotp.

apt-get update
apt-get install linotp

You will be prompted to use Apache2, say Y

You will also be prompted for a password for 'admin' this is the admin for the LinOTP website, create a password here.

When prompted to create a self signed cert say Y

When prompted  use mySQL for tokenbased password

the database is localhost

When prompted to create database now? Yes

Your LinOTP server is installed at this point, however since we are going to use this for View, we also need a couple more components and configs.
For more info see this link https://linotp.org/howtos/howto-radius.html

apt-get install freeradius
apt-get install linotp-freeradius-perl

lets make a back up of freeradius's default configuration:
cp -a /etc/freeradius /etc/freeradius_original

nest remove some stuff we dont need:
rm /etc/freeradius/{clients.conf,users}

Now we need to edit our configuration:
nano /etc/freeradius/clients.conf

Paste the following, change the IP to your Connection server, replace SECRET with a password you will use for radius

#arbitrary name of the authentification asking client (i.e. VPN server)
client view {
        ipaddr  = 192.168.42.207 #IP of the client
        netmask = 32            
        secret  = 'SECRET' #shared secret, the client has to provide
}
save and close

Next lets tell free radius to use the perl module we installed
nano /etc/freeradius/users

paste this line
DEFAULT Auth-type := perl
save and close

nano /etc/freeradius/modules/perl
      replace  module = ${confdir}/example.pl

  with
module = /usr/lib/linotp/radius_linotp.pm
Save and close

nano /etc/linotp2/rlm_perl.ini

Change REALM=view.lab to your domain name, and paste the following:

#IP of the linotp server
URL=https://127.0.0.1/validate/simplecheck
#optional: limits search for user to this realm
REALM=view.lab
#optional: only use this UserIdResolver
#RESCONF=flat_file
#optional: comment out if everything seems to work fine
Debug=True
#optional: use this, if you have selfsigned certificates, otherwise comment out

SSL_CHECK=False
Save and close

nano /etc/freeradius/sites-available/linotp

paste the following:

authorize {

#normalizes maleformed client request before handed on to other modules (see '/etc/freeradius/modules/preprocess')
        preprocess
        
        #  If you are using multiple kinds of realms, you probably
        #  want to set "ignore_null = yes" for all of them.
        #  Otherwise, when the first style of realm doesn't match,
        #  the other styles won't be checked.

#allows a list of realm (see '/etc/freeradius/modules/realm')
        IPASS

#understands something like USER@REALM and can tell the components apart (see '/etc/freeradius/modules/realm')
        suffix

#understands USER\REALM and can tell the components apart (see '/etc/freeradius/modules/realm')
        ntdomain
       
        #  Read the 'users' file to learn about special configuration which should be applied for 
        # certain users (see '/etc/freeradius/modules/files')
        files
       
        # allows to let authentification to expire (see '/etc/freeradius/modules/expiration')
        expiration

        # allows to define valid service-times (see '/etc/freeradius/modules/logintime')
        logintime

        # We got no radius_shortname_map!
        pap
}

#here the linotp perl module is called for further processing
authenticate {
        perl

}

Save and Close

ln -s ../sites-available/linotp /etc/freeradius/sites-enabled

rm /etc/freeradius/sites-enabled/{default,inner-tunnel}

reboot

We should be done at the command line except for any troubleshooting we may need to do.

Once server has rebooted open up a browser to https://yourserver/manage

login with admin, and the password you setup during the install

Click

LinOTP Config > UserIdResolvers

Then Click  New

Then Click LDAP

Now we need to fill in some fields:

First click the [Preset Active Directory] button

for "Resolver name:" you can put what ever you like 

Server-URI: this is the ldap URL for your domain controllers typically ldap://fqdn.of.your.DC

If you are using STARTTLS the you will need to configure it her if not go to the next line.

BaseDN,: Since this is a smaller lab putting it at the root of my domain is not that big of a deal, however if you have a larger environment you may want to start some where else.

BindDN: This is the user we setup in the beginning of this walk through.

Bind Password: the above users password.

Click the [Test LDAP Server Connection], this will basically give you ever user it finds from the BaseDN on down even computer accounts. Since we don't want every user, only ones added to a security we need to change our search string:

Clear out the Search filter entry and put in an entry similar to the following:

(sAMAccountName=*)(objectClass=user)(memberOf=CN=LinOTPUsers,CN=Users,DC=view,DC=lab)

This tells it to only search for users, that are in the LinOTPUsers group we created earlier.

Click the [Test LDAP Server Connection] button again and you should get only the users (if any ) that are in that group.

Click Save

You will then be prompted to setup a REALM

Give this your domain's DNS name so that it matches the radius realm we setup earlier.

Save your settings.

So we are technically done, however there are a couple of settings I think most people should have so lets go through those.

Click the Policies tab, and enter the following, change the REALM to the one you entered previously.

Once completed click [Set Policy]

Now it does not auto change so in the same page change the entries to the following and click [Set Policy]

The line "Action" should read:

webprovisionGOOGLEtime, history, disable, enable,

Once completed it should look similar to this:

The Setup of the server is now complete

Next go to your View Connection Server, setup a new Radius server using PAP as the protocol and point it to your LinOTP server, use the default port, enter your password you setup previously.

Now we can enroll a user and authenticate to View with 2FA!

Open a browser to https://172.16.2.11/account/login (replace the IP with your IP). and login with a user that is in the AD group we created at the begining:

Click 'Enroll your time based token:

You will be presented with a QR code that you can then scan into google authenticator (or whatever client you want to use)

Now that you have your authenticator setup you should now be able to use 2FA with View.

For additional info check the guides:

https://linotp.org/howtos/howto-radius.html