Last year, I talked about migrating my FreeRADIUS server with two-factor authentication (2FA) to a Docker container. Today, I will cover how to configure FreeRADIUS 3.0 with two-factor authentication using Google Authenticator in a Docker container with Ubuntu 18.04 image.
The new version of Ubuntu Server LTS edition (18.04 at this time of writing) changed the FreeRADIUS version from 2.x to 3.0. The change made my old post as invalid. With that said, I want to share my working configuration with you.
If you wish to learn more about FreeRADIUS, there is a book out there available for purchase. However, it is an older book, so you may need to do some more research. Though, one of the Amazon reviews mentioned that the difference between 2.x and 3.0 are minor so it may still be helpful.
Writing FreeRADIUS 3.0 Dockerfile
I am sure there are FreeRADIUS 3.0 Docker images out there, but I like to write my own as much as I can. By writing a Dockerfile, it helps me learn more about Linux and Docker. I do, however, recognize that I am running the Docker container as root. As I learn more about this, I will eventually write one that isn’t using root. If you decide to copy this Dockerfile, beware the security risks running root on your container.
Without further ado, below is my Dockerfile that I wrote that satisfies my needs.
# Use Base Ubuntu image FROM ubuntu:18.04 # Author of this Dockerfile MAINTAINER NetworkJutsu <networkjutsu.com> # Update & upgrades RUN apt-get update && apt-get dist-upgrade -y # Install FreeRADIUS and Google Authenticator RUN apt-get install freeradius libpam-google-authenticator -y # Clear local repo RUN apt-get clean # Add user to container with home directory RUN useradd -m -d /home/networkjutsu -s /bin/bash networkjutsu # Add password to networkjutsu account RUN echo 'networkjutsu:letsmakemypasswordgreatagain' | chpasswd # Edit /etc/pam.d/radiusd file RUN sed -i 's/@include/#@include/g' /etc/pam.d/radiusd RUN echo "auth requisite pam_google_authenticator.so forward_pass secret=/etc/freeradius/3.0/networkjutsu/.google_authenticator user=freerad" >> /etc/pam.d/radiusd RUN echo "auth required pam_unix.so use_first_pass" >> /etc/pam.d/radiusd # Edit /etc/freeradius/3.0/mods-config/files/authorize file # This is the real file for /etc/freeradius/3.0/users RUN sed -i '1s/^/# Instruct FreeRADIUS to use PAM to authenticate users\n/' /etc/freeradius/3.0/mods-config/files/authorize RUN sed -i '2s/^/DEFAULT Auth-Type := PAM\n/' /etc/freeradius/3.0/mods-config/files/authorize # Copy existing /etc/freeradius/sites-available/default file to container # This is the real file for /etc/freeradius/3.0/sites-enabled/default COPY default /etc/freeradius/3.0/sites-available/default # Change owner of the file to freerad RUN chown freerad:freerad /etc/freeradius/3.0/sites-available/default # Copy existing /etc/freeradius/clients.conf file to container COPY clients.conf /etc/freeradius/3.0/clients.conf # Copy existing .google_authenticator file to container COPY .google_authenticator /home/networkjutsu # Create a symbolic link RUN ln -s /etc/freeradius/3.0/mods-available/pam /etc/freeradius/3.0/mods-enabled/pam # Create a folder in /etc/freeradius equal to the user name RUN mkdir /etc/freeradius/3.0/networkjutsu # Change owner of the directory to freerad RUN chown freerad:freerad /etc/freeradius/3.0/networkjutsu # Copy .google_authenticator file to /etc/freeradius/networkjutsu RUN cp /home/networkjutsu/.google_authenticator /etc/freeradius/3.0/networkjutsu # Change owner to freerad RUN chown freerad:freerad /etc/freeradius/3.0/networkjutsu/.google_authenticator # Expose the port EXPOSE 1812/udp 1813/udp 18120/udp # Run FreeRADIUS as a foreground process CMD ["freeradius","-f"]
FreeRADIUS changes in Ubuntu
If you compare my old post and this post, you could tell that the directories have changed from /etc/freeradius to /etc/freeradius/3.0. One of the reasons why my old post would not work in Ubuntu 18.04.
Another change is the /etc/freeradius/3.0/users file. It is now a symbolic link compared to a regular file in Ubuntu 16.04. That said, I had to edit the original file and not the symbolic link.
The last change, at least for my purposes, is the requirement to create a symbolic link for the /etc/freeradius/3.0/mods-available/pam file. We need this file to enable PAM, without it the two-factor authentication wouldn’t work.
FreeRADIUS configuration files
I copied a lot of configuration files to the container because it was much faster for me to do it in a text editor than trying to figure out the proper sed commands. I am still new to sed command so it will take me several minutes or hours to figure out a simple thing to do in VI editor. While it will help me learn more about it, I haven’t had much time on my hands lately.
Some of the configuration files may have changed contents as a result of the upgrade. However, my old post covered all the changes I’ve made to them. Well, you could say I revised /etc/freeradius/3.0/radiusd file. The revision was very minor. I only did it because I wanted to show how to edit files without using a text editor, like VI editor.
The changes to FreeRADIUS in Ubuntu 18.04 is minor, at least for my purposes. However, if you decide to upgrade your host or edit the Dockerfile to use the latest Ubuntu version without making the changes covered here, then it will break your instance.
A few weeks ago, I made a mistake of just changing the FROM ubuntu:16.04 to FROM ubuntu:18.04 and broke my FreeRADIUS container. If the FreeRADIUS version didn’t change, upgrading the OS would’ve been easy and fast compared to a VM. One of the reasons why I like to use Docker container as much as possible.
With this FreeRADIUS container, you could point your devices to this server as your primary RADIUS server. Since this server also makes use of Google Authenticator, you gain two-factor authentication feature. I use this container for my remote access VPN at home and also pointing my networking devices that support RADIUS authentication.
Are you ready to improve your network security?
Let us answer more questions by contacting us. We’re here to listen and provide solutions that are right for you.
You might also like to read
NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.