Need help signing in with domain credentials and MFA through (Radius+LinOTP)

foa771

New Member
Joined
Mar 15, 2024
Messages
3
Reaction score
0
Credits
63
I am trying to configure MFA on an a domain joined amazon Linux instance through Radius to LinOTP.
I have managed AD, Radius and LinOTP configured and working properlyI followed this documentation to configure the LinOTP and Radius: https://aws.amazon.com/blogs/desktop-and-application-streaming/integrating-freeradius-mfa-with-amazon-workspaces/ I used this to join linux instance to domain:https://docs.aws.amazon.com/directoryservice/latest/admin-guide/join_linux_instance.html

On the linux instance i downloaded PAM_Radiushttps://github.com/FreeRADIUS/pam_radius

Here are the configuration on the linux:
I added the details of the radius server in the /etc/pam_radius.conf file
The content of the etc/pam.d/sshd file is attached
The highlight of the /etc/ssh/sshd_config is:
  • passwordauthentication yes
  • challengeresponseauthentication yes
  • usepam yes

My problem is when I SSH to the Linux instance, It asks for a password. After I enter my domain password, It asks for the OTP Token and then it goes back to asking for password and so on.

sign in method 1: (FQDN) I ssh to the instance using: ssh [email protected] @<public Ip address>
Here is what I see in logs:
  • Linux instance: /var/log/secure
  • authentication success
  • LinOTP: username not found in realm
  • When I look at the radius logs, it seems that the OTP password is not correct since the field user
-password would be random characters.

sign in method 2: (without FQDN)I ssh to the instance using:ssh username@<public Ip address>
Here is what I see in logs:
  • Linux instance: /var/log/secure
  • invalid user username
  • LinOTP: found username
  • When I look at the radius logs, it seems that the OTP password is not correct since the field user
-password would be random characters.

I need some guidance on how to configure this amazon linux instance using domain credientials to authenticate to managed AD then use OTP(through radius and LinOTP) to do MFA. I appreciate your guidance. I attached some snapshots of configuration and logs that might help troubleshoot the issue. look at filename for description
 

Attachments

  • etc-pam.d-sshd.jpg
    etc-pam.d-sshd.jpg
    1.5 MB · Views: 221
  • FQDN-var-log-linotp-linotp.jpg
    FQDN-var-log-linotp-linotp.jpg
    1.6 MB · Views: 190
  • FQDN-var-log-secure.jpg
    FQDN-var-log-secure.jpg
    429.8 KB · Views: 152
  • issue.jpg
    issue.jpg
    973.3 KB · Views: 145
  • noFQDN-var-log-linotp-linotp.log.jpg
    noFQDN-var-log-linotp-linotp.log.jpg
    2.6 MB · Views: 380
  • noFQDN-var-log-radius-radius.log.jpg
    noFQDN-var-log-radius-radius.log.jpg
    2 MB · Views: 370
Last edited by a moderator:


Hello Everyone,
This is an updated post for what i believe the issue is, I appreciate any help:

I installed Linotp 2.12.6 and integrated it with AWS workspaces using this documentation for MFA TOTP:
https://aws.amazon.com/blogs/deskto...rating-freeradius-mfa-with-amazon-workspaces/

Everything is working well using workspaces and LinOTP.

Now I want to add MFA to a Bastion Amazon Linux instance that is domain joined. I want to leverage the same LinOTP that I already have in the environment for TOTP. I configured the Linux instance for MFA and to send the TOTP token to the radius server however after reviewing the logs on LINOTP, I see it is receiving the username with the domain ([email protected]) and it fails to find a matching user in the resolver.

the realm is the same as the windows domain name. I made sure that the setting to split on "@" is enabled so it differentiate username from realm, however authentication fails. LinOTP authenticates successfully users logging into workspaces since only the username is sent to the radius server, without the FQDN.

I would really appreciate any guidance on how to enable windows domain striping and resolve this issue.
Thank you!
 

Members online


Top