2fa for windows ad login

I realize that 2fa for cockpit landed in nethserver which is amazing! Thanks for all the good work.

Recently I was asked, if I can implement user logins on windows 10 clients to nethserver active directory created domain to require a second factor, and startet digging the net for 2fa. There are different opensource and commercial options out there, and I am still reading, but decided to ask here too, what would be possible solutions. We are a limited userbase (<15).

4 Likes

so on the window client a 2FA to login to the AD, we use pam interesting, if you have clues, please ring the bell

1 Like

I am starting looking into privacyIDEA, a fork of linotp. It is opensource and should work with a privacyIDEA server and their Credential Provider which can be bought or compiled by oneself. So I start reading their documentation and I will post my results here, but I also would be glad, if there are other suggestions to look at and/or if someone wants to share his experiences/expertise.

Other options I might give a shot later if privacyIDEA does not fit could be:
multiotp
rcdevs
wikidsystems
linotp

1 Like

These are the steps, I took so far to install the privacyIDEA (linotp fork) server:

  • Grab nethserver cd, and install centOS7 on a new vm, which is located in my red network. (I do not want to screw my nethserver vm, thus I decided to test privacyIDEA on e separate centos7 vm)
  • Update the freshly installed vm: yum check-update && yum update && yum clean all && reboot && ssh into the server to be able to copy paste then followed the installation on their site: https://privacyidea.readthedocs.io/en/latest/installation/centos.html
  • After I have disabled firewalld (systemctl mask --now firewalld) I can access privacyIDEA server.
  • Rollout of a token of the local root user is very easy. Then installed freeotp scanned the QR code, and tested the 6-digit token -> success.

I need help as I have no idea yet, on how to link this with domain users from my nethserver active directory domain. Maybe someone could step in and see if it is possible to integrate this in nethserver itself? In the meantime my next steps will be to look on howto compile the credential provider that will have to be installed on the windows 10 systems, and reading their documentation in general. Frankly atm I have no idea on how their credential provider can be compiled. There is no documentation, as you they sell the msi.

I would love to help testing within nethserver but I don’t know howto proceed, so thanks in advance for your help. :slight_smile:

2 Likes

Can please someone help me fill out the following entries in order to be able to connect to nethserver ldap on ad.ourdomain.com?

do account-provider-test dump in a terminal, all you need is there

Thanks, I’ll try so and report back. In the meantime I opened an issue, as I am not able yet to compile their credential provider. See here, maybe someone knows, what my vs2019 is missing:

Aparently the dlls cannot be compiled, because some include files missing?

compilation can be complex and all requirements must be satisfied :frowning:

I know, and as they sell a compiled msi, they do not document how to compile it, but I hope they will provide the needed info in the issue, I opened.

In the meantime I can report, the the ldap binding works fine. I have put the following infos:

ServerURI: ldaps://ad.ourdomain.com
Base-DN: ou=user(in our case: Benutzer),dc=ad,dc=ourdomain,dc=com
Bind-DN: ldapservice@ad.ourdomain.work
Bind Password: Found under Nethserver/System/User&Groups/Details

So now I am able to query my ad users, and assign them a token. Furthermore, I could test the token and and it reports successfull when entering the otp generated with freeotp app on my android phone. :slight_smile:

So all good, as soon as the credential provider installer is successfully compiled, the solution will work.

I don’t know though, how and where the privacyIDEA server installation could be implemented in nethserver. Maybe someone else is willing to integrate this feature? The need of a separate vm for the privacyIDEA server would then become obsolete, as installatin in centos7 is supported and documented. Like this we could have a nice opensource and beautifully working solution within nethserver.

1 Like

As it turns out, our boss now is not sure anymore if 2fa on local logins are really mandatory. I will nevertheless inform in this thread if I get any informations on the last remaining issue regarding the compilation of the credentialprovider needed to be installed on windows 10 clients.

But I must implement 2fa for vpn connections, so the question on that is,

  • Do we have something implemented for this within nethserver?
  • privacyIDEA aparently supports pam and radius for openVPN - could those be used and does it make sense? (I don’t know much about radius frankly, so I am open to any suggestions)

Last but not least - having an opnsense router securing my network (thanks Andy :slight_smile: ) I will also have a look what can be done on that layer.

Right now, I am trying to establish an ldap connection from opnSense to nethserver ldap as I did with privacyIDEA, but I did not succeed yet.

I have implemented two ways to secure vpn

One is pending tests if you want to have a go, all users are forced to otp, a user needs to give only the otp_pin instead of his password

The otherPR related is to increase security, in short to explain, now you can login with a good login/password and with the certificate of another user, this issue solves it

I tested another way to add otp with googleauthenticators, for now it is just a PR not merged, the advantages of GA are

all users are not forced to otp
users must give their password + otp_pin in the same input

cons, the recovery code displayed in the UI are not valid

https://github.com/NethServer/nethserver-openvpn/pull/56

1 Like