I installed node-v10.9.0-linux-armv7l from nodejs site

[root@nobody /]# node -v
node: /lib/libstdc++.so.6: version `GLIBCXX_3.4.20' not found (required by node)

Hi @rharmonson. Just came across your wiki "CentOS 7 1611 Minimal x86_64 Base Installation Guide" and found it very informative. Spotted a small typo in section 19 (VM Template) -- the 'cut+paste' segment that contains the commands for sealvm.sh contains the following line:

rm -f /etc/ssh/ssh_host_rm -rf /root/.ssh/

I believe it should be like this instead:

rm -f /etc/ssh/ssh_host_*
rm -rf /root/.ssh/

Greetings,

Install openvas following your guide but at the time of running a scan openvas presents the following message "Internal Error"

Please tell me how to fix this problem, I run the command (openvas-check-setup) and tell me that the installation is OK

openvas-check-setup --v9
openvas-check-setup 2.3.7
Test completeness and readiness of OpenVAS-9

Please report us any non-detected problems and
help us to improve this check routine:
http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss

Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the problem.

Use the parameter --server to skip checks for client tools
like GSD and OpenVAS-CLI.

Step 1: Checking OpenVAS Scanner ...
OK: OpenVAS Scanner is present in version 5.1.1.
OK: redis-server is present in version v=3.2.3.
OK: scanner (kb_location setting) is configured properly using the redis-server socket: /tmp/redis.sock
OK: redis-server is running and listening on socket: /tmp/redis.sock.
OK: redis-server configuration is OK and redis-server is running.
OK: NVT collection in /var/lib/openvas/plugins contains 54606 NVTs.
WARNING: Signature checking of NVTs is not enabled in OpenVAS Scanner.
SUGGEST: Enable signature checking (see http://www.openvas.org/trusted-nvts.html).
OK: The NVT cache in /var/cache/openvas contains 54606 files for 54606 NVTs.
Step 2: Checking OpenVAS Manager ...
OK: OpenVAS Manager is present in version 7.0.2.
OK: OpenVAS Manager database found in /var/lib/openvas/mgr/tasks.db.
OK: Access rights for the OpenVAS Manager database are correct.
OK: sqlite3 found, extended checks of the OpenVAS Manager installation enabled.
OK: OpenVAS Manager database is at revision 184.
OK: OpenVAS Manager expects database at revision 184.
OK: Database schema is up to date.
OK: OpenVAS Manager database contains information about 54606 NVTs.
OK: At least one user exists.
OK: OpenVAS SCAP database found in /var/lib/openvas/scap-data/scap.db.
OK: OpenVAS CERT database found in /var/lib/openvas/cert-data/cert.db.
OK: xsltproc found.
Step 3: Checking user configuration ...
WARNING: Your password policy is empty.
SUGGEST: Edit the /etc/openvas/pwpolicy.conf file to set a password policy.
Step 4: Checking Greenbone Security Assistant (GSA) ...
OK: Greenbone Security Assistant is present in version 7.0.2.
OK: Your OpenVAS certificate infrastructure passed validation.
Step 5: Checking OpenVAS CLI ...
OK: OpenVAS CLI version 1.4.5.
Step 6: Checking Greenbone Security Desktop (GSD) ...
SKIP: Skipping check for Greenbone Security Desktop.
Step 7: Checking if OpenVAS services are up and running ...
OK: netstat found, extended checks of the OpenVAS services enabled.
OK: OpenVAS Scanner is running and listening on a Unix domain socket.
OK: OpenVAS Manager is running and listening on a Unix domain socket.
OK: Greenbone Security Assistant is listening on port 80, which is the default port.
Step 8: Checking nmap installation ...
WARNING: Your version of nmap is not fully supported: 6.47
SUGGEST: You should install nmap 5.51 if you plan to use the nmap NSE NVTs.
Step 10: Checking presence of optional tools ...
OK: pdflatex found.
WARNING: PDF generation failed, most likely due to missing LaTeX packages. The PDF report format will not work.
SUGGEST: Install required LaTeX packages.
OK: ssh-keygen found, LSC credential generation for GNU/Linux targets is likely to work.
OK: rpm found, LSC credential package generation for RPM based targets is likely to work.
OK: alien found, LSC credential package generation for DEB based targets is likely to work.
OK: nsis found, LSC credential package generation for Microsoft Windows targets is likely to work.
OK: SELinux is disabled.

It seems like your OpenVAS-9 installation is OK.

If you think it is not OK, please report your observation
and help us to improve this check routine:
http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Please attach the log-file (/tmp/openvas-check-setup.log) to help us analyze the problem.

cat /tmp/openvas-check-setup.log
openvas-check-setup 2.3.7
Mode: desktop
Date: Wed, 16 Aug 2017 08:45:19 -0500

Checking for old OpenVAS Scanner <= 2.0 ...
/usr/bin/openvas-check-setup: line 172: openvasd: command not found

Checking presence of OpenVAS Scanner ...
OpenVAS Scanner 5.1.1
Most new code since 2005: (C) 2016 Greenbone Networks GmbH
Nessus origin: (C) 2004 Renaud Deraison [email protected]
License GPLv2: GNU GPL version 2
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Checking OpenVAS Scanner version ...

    OK: OpenVAS Scanner is present in version 5.1.1.

plugins_folder = /var/lib/openvas/plugins
cache_folder = /var/cache/openvas
include_folders = /var/lib/openvas/plugins
max_hosts = 30
max_checks = 10
be_nice = no
logfile = /var/log/openvas/openvassd.log
log_whole_attack = no
log_plugins_name_at_load = no
dumpfile = /var/log/openvas/openvassd.dump
cgi_path = /cgi-bin:/scripts
optimize_test = yes
checks_read_timeout = 5
network_scan = no
non_simult_ports = 139, 445
plugins_timeout = 320
scanner_plugins_timeout = 36000
safe_checks = yes
auto_enable_dependencies = yes
use_mac_addr = no
nasl_no_signature_check = yes
drop_privileges = no
unscanned_closed = yes
unscanned_closed_udp = yes
vhosts =
vhosts_ip =
report_host_details = yes
kb_location = /tmp/redis.sock
timeout_retry = 3
rules = /etc/openvas/openvassd.rules
port_range = default
silent_dependencies = no
save_knowledge_base = no
kb_restore = no
only_test_hosts_whose_kb_we_dont_have = no
only_test_hosts_whose_kb_we_have = no
kb_dont_replay_scanners = no
kb_dont_replay_info_gathering = no
kb_dont_replay_attacks = no
kb_dont_replay_denials = no
kb_max_age = 864000
slice_network_addresses = no
cert_file = /var/lib/openvas/CA/servercert.pem
key_file = /var/lib/openvas/private/CA/serverkey.pem
ca_file = /var/lib/openvas/CA/cacert.pem
config_file = /etc/openvas/openvassd.conf
Checking presence of redis ...
OK: redis-server is present in version v=3.2.3.

Checking if redis-server is configured properly to run with openVAS ...
OK: scanner (kb_location setting) is configured properly using the redis-server socket: /tmp/redis.sock
Checking if redis-server is running ...
OK: redis-server is running and listening on socket: /tmp/redis.sock.
OK: redis-server configuration is OK and redis-server is running.

Checking NVT collection ...

    OK: NVT collection in /var/lib/openvas/plugins contains 54606 NVTs.

Checking status of signature checking in OpenVAS Scanner ...
WARNING: Signature checking of NVTs is not enabled in OpenVAS Scanner.
SUGGEST: Enable signature checking (see http://www.openvas.org/trusted-nvts.html).

    OK: The NVT cache in /var/cache/openvas contains 54606 files for 54606 NVTs.

Checking presence of OpenVAS Manager ...
OpenVAS Manager 7.0.2
Manager DB revision 184
Copyright (C) 2010-2016 Greenbone Networks GmbH
License GPLv2+: GNU GPL version 2 or later
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

    OK: OpenVAS Manager is present in version 7.0.2.

Checking OpenVAS Manager database ...

    OK: OpenVAS Manager database found in /var/lib/openvas/mgr/tasks.db.

Checking access rights of OpenVAS Manager database ...

    OK: Access rights for the OpenVAS Manager database are correct.

Checking sqlite3 presence ...
OK: sqlite3 found, extended checks of the OpenVAS Manager installation enabled.

Checking OpenVAS Manager database revision ...
OK: OpenVAS Manager database is at revision 184.
Checking database revision expected by OpenVAS Manager ...
OK: OpenVAS Manager expects database at revision 184.
OK: Database schema is up to date.
Checking OpenVAS Manager database (NVT data) ...
OK: OpenVAS Manager database contains information about 54606 NVTs.
Checking if users exist ...
OK: At least one user exists.

Checking OpenVAS SCAP database ...

    OK: OpenVAS SCAP database found in /var/lib/openvas/scap-data/scap.db.

Checking OpenVAS CERT database ...

    OK: OpenVAS CERT database found in /var/lib/openvas/cert-data/cert.db.

Checking xsltproc presence ...
OK: xsltproc found.

Checking status of password policy ...
WARNING: Your password policy is empty.
SUGGEST: Edit the /etc/openvas/pwpolicy.conf file to set a password policy.

Checking presence of Greenbone Security Assistant ...
Greenbone Security Assistant 7.0.2
Copyright (C) 2010-2016 Greenbone Networks GmbH
License GPLv2+: GNU GPL version 2 or later
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

    OK: Greenbone Security Assistant is present in version 7.0.2.

Verifying certificate infrastructure ...
OK: Directory for keys (/var/lib/openvas/private/CA) exists.
OK: Directory for certificates (/var/lib/openvas/CA) exists.
OK: CA key found in /var/lib/openvas/private/CA/cakey.pem
OK: CA certificate found in /var/lib/openvas/CA/cacert.pem
OK: CA certificate verified.
OK: Certificate /var/lib/openvas/CA/servercert.pem verified.
OK: Certificate /var/lib/openvas/CA/clientcert.pem verified.

OK: Your OpenVAS certificate infrastructure passed validation.

    OK: Your OpenVAS certificate infrastructure passed validation.

Checking presence of OpenVAS CLI ...
OMP Command Line Interface 1.4.5
Copyright (C) 2010-2016 Greenbone Networks GmbH
License GPLv2+: GNU GPL version 2 or later
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

    OK: OpenVAS CLI version 1.4.5.
    SKIP: Skipping check for Greenbone Security Desktop.

Checking netstat presence ...
OK: netstat found, extended checks of the OpenVAS services enabled.

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:6379 0.0.0.0:* LISTEN 1000/redis-server 1
tcp 0 0 0.0.0.0:9392 0.0.0.0:* LISTEN 3149/gsad
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 3150/gsad
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 998/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1597/master
tcp6 0 0 :::22 :::* LISTEN 998/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1597/master
OK: OpenVAS Scanner is running and listening on a Unix domain socket.
OK: OpenVAS Manager is running and listening on a Unix domain socket.
OK: Greenbone Security Assistant is listening on port 80, which is the default port.
Checking presence of nmap ...
WARNING: Your version of nmap is not fully supported: 6.47
SUGGEST: You should install nmap 5.51 if you plan to use the nmap NSE NVTs.

Checking presence of pdflatex ...
OK: pdflatex found.

Checking presence of LaTeX packages required for PDF report generation ...
WARNING: PDF generation failed, most likely due to missing LaTeX packages. The PDF report format will not work.
SUGGEST: Install required LaTeX packages.
This is pdfTeX, Version 3.1415926-2.5-1.40.14 (TeX Live 2013) (format=pdflatex 2017.8.14) 16 AUG 2017 08:45
entering extended mode
restricted \write18 enabled.
%&-line parsing enabled.
**/tmp/openvas-check-setup-tmp.uE8VvtfpGC/test.tex
(/tmp/openvas-check-setup-tmp.uE8VvtfpGC/test.tex
LaTeX2e <2011/06/27>
Babel <v3.8m> and hyphenation patterns for english, dumylang, nohyphenation, lo
aded.
(/usr/share/texlive/texmf-dist/tex/latex/base/article.cls
Document Class: article 2007/10/19 v1.4h Standard LaTeX document class
(/usr/share/texlive/texmf-dist/tex/latex/base/size10.clo
File: size10.clo 2007/10/19 v1.4h Standard LaTeX file (size option)
)
\c@part=\count79
\c@section=\count80
\c@subsection=\count81
\c@subsubsection=\count82
\c@paragraph=\count83
\c@subparagraph=\count84
\c@figure=\count85
\c@table=\count86
\abovecaptionskip=\skip41
\belowcaptionskip=\skip42
\bibindent=\dimen102
) (/usr/share/texlive/texmf-dist/tex/latex/tools/tabularx.sty
Package: tabularx 1999/01/07 v2.07 `tabularx' package (DPC)
(/usr/share/texlive/texmf-dist/tex/latex/tools/array.sty
Package: array 2008/09/09 v2.4c Tabular extension package (FMi)
\col@sep=\dimen103
\extrarowheight=\dimen104
\NC@list=\toks14
\extratabsurround=\skip43
\backup@length=\skip44
)
\TX@col@width=\dimen105
\TX@old@table=\dimen106
\TX@old@col=\dimen107
\TX@target=\dimen108
\TX@delta=\dimen109
\TX@cols=\count87
\TX@ftn=\toks15
) (/usr/share/texlive/texmf-dist/tex/latex/geometry/geometry.sty
Package: geometry 2010/09/12 v5.6 Page Geometry
(/usr/share/texlive/texmf-dist/tex/latex/graphics/keyval.sty
Package: keyval 1999/03/16 v1.13 key=value parser (DPC)
\KV@toks@=\toks16
) (/usr/share/texlive/texmf-dist/tex/generic/oberdiek/ifpdf.sty
Package: ifpdf 2011/01/30 v2.3 Provides the ifpdf switch (HO)
Package ifpdf Info: pdfTeX in PDF mode is detected.
) (/usr/share/texlive/texmf-dist/tex/generic/oberdiek/ifvtex.sty
Package: ifvtex 2010/03/01 v1.5 Detect VTeX and its facilities (HO)
Package ifvtex Info: VTeX not detected.
) (/usr/share/texlive/texmf-dist/tex/generic/ifxetex/ifxetex.sty
Package: ifxetex 2010/09/12 v0.6 Provides ifxetex conditional
)
\Gm@cnth=\count88
\Gm@cntv=\count89
\c@Gm@tempcnt=\count90
\Gm@bindingoffset=\dimen110
\Gm@wd@mp=\dimen111
\Gm@odd@mp=\dimen112
\Gm@even@mp=\dimen113
\Gm@layoutwidth=\dimen114
\Gm@layoutheight=\dimen115
\Gm@layouthoffset=\dimen116
\Gm@layoutvoffset=\dimen117
\Gm@dimlist=\toks17
)

! LaTeX Error: File `comment.sty' not found.

Type X to quit or to proceed,
or enter new name. (Default extension: sty)

Enter file name:
! Emergency stop.
<read *>

l.8 \usepackage
{longtable}^^M
*** (cannot \read from terminal in nonstop modes)

Here is how much of TeX's memory you used:
815 strings out of 495063
11112 string characters out of 3182201
60410 words of memory out of 3000000
4062 multiletter control sequences out of 15000+200000
3640 words of font info for 14 fonts, out of 3000000 for 9000
14 hyphenation exceptions out of 8191
23i,0n,19p,192b,36s stack positions out of 5000i,500n,10000p,200000b,50000s
! ==> Fatal error occurred, no output PDF file produced!
Checking presence of ssh-keygen ...
OK: ssh-keygen found, LSC credential generation for GNU/Linux targets is likely to work.

Checking presence of rpm ...
OK: rpm found, LSC credential package generation for RPM based targets is likely to work.

Checking presence of alien ...
OK: alien found, LSC credential package generation for DEB based targets is likely to work.

Checking presence of nsis ...
OK: nsis found, LSC credential package generation for Microsoft Windows targets is likely to work.
Checking for SELinux ...
OK: SELinux is disabled.

cat openvasmd.log
md main:MESSAGE:2017-08-16 13h45.20 utc:3345: OpenVAS Manager version 7.0.2 (DB revision 184)
md manage: INFO:2017-08-16 13h45.20 utc:3345: Getting users.
event task:MESSAGE:2017-08-16 08h46.13 -05:3505: Status of task Immediate scan of IP xx.xx.xx.xx (41386d63-b227-4e1e-98ea-9c7818c221c1) has changed to Requested
event task:MESSAGE:2017-08-16 08h46.13 -05:3505: Task Immediate scan of IP xx.xx.xx.xx (41386d63-b227-4e1e-98ea-9c7818c221c1) has been requested to start by admin
md manage:WARNING:2017-08-16 08h46.23 -05:3507: sql_prepare_internal: sqlite3_prepare failed: near "(": syntax error
md manage:WARNING:2017-08-16 08h46.23 -05:3507: init_iterator: sql_prepare failed
md manage:WARNING:2017-08-16 08h46.23 -05:3507: manage_cleanup_process_error: Error exit, setting running task to Internal Error
md manage:WARNING:2017-08-16 08h46.23 -05:3507: sql_prepare_internal: sqlite3_prepare failed: near "(": syntax error
md manage:WARNING:2017-08-16 08h46.23 -05:3507: init_iterator: sql_prepare failed
md main:MESSAGE:2017-08-16 13h53.23 utc:3585: OpenVAS Manager version 7.0.2 (DB revision 184)
md main: INFO:2017-08-16 13h53.23 utc:3585: rebuild_nvt_cache_retry: Reloading NVT cache
md main: INFO:2017-08-16 13h53.23 utc:3586: update_or_rebuild_nvt_cache: Updating NVT cache
base gpgme:MESSAGE:2017-08-16 13h53.23 utc:3586: Setting GnuPG dir to '/var/lib/openvas/openvasmd/gnupg'
base gpgme:MESSAGE:2017-08-16 13h53.23 utc:3586: Using OpenPGP engine version '2.0.22'
md main: INFO:2017-08-16 13h53.24 utc:3586: Updating NVT cache.
md main:MESSAGE:2017-08-16 13h54.41 utc:3605: OpenVAS Manager version 7.0.2 (DB revision 184)
md main: INFO:2017-08-16 13h54.41 utc:3605: rebuild_nvt_cache_retry: Reloading NVT cache
md main: INFO:2017-08-16 13h54.41 utc:3606: update_or_rebuild_nvt_cache: Rebuilding NVT cache
base gpgme:MESSAGE:2017-08-16 13h54.41 utc:3606: Setting GnuPG dir to '/var/lib/openvas/openvasmd/gnupg'
base gpgme:MESSAGE:2017-08-16 13h54.41 utc:3606: Using OpenPGP engine version '2.0.22'
md main: INFO:2017-08-16 13h54.42 utc:3606: Updating NVT cache.

Following the wiki article: CentOS 7 Minimal: Two-factor Authentication using FreeRADIUS 3, SSSD 1.12, & Google Authenticator #6

If you uncomment the following lines:

DEFAULT Group == "disabled", Auth-Type := Reject

Reply-Message = "Your account has been disabled."

And add

DEFAULT Auth-Type := PAM

For final configuration as mentioned

DEFAULT Group == "disabled", Auth-Type := Reject
Reply-Message = "Your account has been disabled."

DEFAULT Auth-Type := PAM

You get the following error when doing a radtest:

[logintime] = noop
(0) WARNING: pap : Auth-Type already set. Not setting to PAP
(0) [pap] = noop
(0) } # authorize = ok
(0) Found Auth-Type = Reject
(0) Auth-Type = Reject, rejecting user
(0) Failed to authenticate the user

With

DEFAULT Group == "disabled", Auth-Type := Reject

Reply-Message = "Your account has been disabled."

DEFAULT Auth-Type := PAM

radtest is successful.

Tested with Centos 7 minimal.

Thank you for the quick reply to other note/issue, beat me to when I could reply.

I used these are wanted to recheck some configurations.

These were very helpful.

Thanks,

https://github.com/rharmonson/richtech/wiki/Centos-6.6-Minimal-&-Beyond-Trust's-Power-Broker-Identity-Services-aka-Likewise#sshd

The following options are more "PBIS-like" methods of doing the same thing:

rather than edit sshd_config to block domain^users, run "/opt/pbis/bin/config RequireMembershipOf nonexistentgroup". This will only allow members of "nonexistentgroup" to log into the box, which won't exist, so PBIS users will be effectively blocked.

Even better, however, is to simply NOT enable pam when you do the join:

domainjoin-cli join --disable pam domain.com username

now no PAM modifications will be done. The same can be done with "--disable ssh" and "--disable nsswitch". if you do all 3 of these, however, you'll need to have your software make direct calls into PBIS to find AD users, since they won't be exposed to the OS.

You can change these configurations live with:
domainjoin-cli configure --enable
domainjoin-cli configure --disable

See the full list in domainjoin-cli --help and domainjoin-cli --help-internal.

In the Disable IPv6 section of CentOS 7 1611 Minimal x86_64 Base Installation Guide, you state that you edited it so it would not disable it everywhere, but rather just disable per interface only. However, in the example for per interface, you still have the option set for "all" being disabled:

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.eth0.disable_ipv6 = 1

Shouldn't the first line be removed and only be the single entry for the example interface?

net.ipv6.conf.eth0.disable_ipv6 = 1

The disable for everywhere option seems correct. You show the options for disabling "all" and "by default":

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

It seems that the first section where you disable per interface only, it should have that line (net.ipv6.conf.all.disable_ipv6) removed. Or am I misreading it?

After this came out at the first time, i installed grep by: yum install grep. However, this error message still come out.

Hello Richard,

Thanks for sharing wealth of well structured knowledge..

I am curious to ask how did you create this following simple yet elegant diagram

I would like to use your styling to convey simple typologies. Please elaborate or link to the method.

what solved this for me was a simple

yum update

https://github.com/rharmonson/richtech/wiki/Using-CentOS-7.2.1511-Minimal-on-the-Raspberry-PI-3

Very good installation wiki for Centos 7 and Ampache.
I believe I found a typo in the wiki:

yum-config-manager --enable remi-php56

The first hyphen should be a space if the yum command is the same on centos as it is on any other RH based system.

If the Ampache release is installed, installation of Composer isn't necessary. Also .htaccess has already been created.

I would like to suggest that this information is included in the wiki.

Hi, good job!! One question, following your example, you are using "[email protected]" as the user domain username, is there any way to configure freeradius to don't need the add of the domain to the username (so use "richard" as the username)?

Thanks!

high-level architecture

architecture with platforms

ubnt

vlans

vlanroutes

routes

slog - view disks

zfs pool
volume

volume status

datasets

nfs shares

ovirtmanager

2nd compute host

CreateDataDomain

CreateISODomain

StorageSummary

ovirtnetworks

ovirtnetworkinterfaces

isodomimages

lagports

lagportchannel

lagvlans

Hello, friend

In my case /etc/raddb/users
DEFAULT Group == "disabled", Auth-Type := Reject
Reply-Message = "Your account has been disabled."
DEFAULT Auth-Type := PAM
not working!!! with real CISCO ASA
I mean RADIUS does not send respond to ASA after authorisation.
but

If comment that strings in /etc/raddb/users

DEFAULT Group == "disabled", Auth-Type := Reject

Reply-Message = "Your account has been disabled."

we-ve got

[root@rad-01 ]# tcpdump -n -i eth0 -vv -A -s 1500 udp and port 1812 and dst 10.30.246.240
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes
19:24:06.043099 IP (tos 0x0, ttl 64, id 64963, offset 0, flags [none], proto UDP (17), length 48)
10.30.243.31.radius > 10.30.246.240.18709: [bad udp cksum 0xfe79 -> 0x79a5!] RADIUS, length: 20
Access Accept (2), id: 0x92, Authenticator: 0a60eb66afce3068312be6489db5a9cd
E..0....@..
...
.....I....y....
`.f..0h1+.H....https://github.com/rharmonson/richtech/wiki/CentOS-7-Minimal-&-Two-factor-Authentication-using-FreeRADIUS-3,-SSSD-1.12,-&-Google-Authenticator

Also digest must be enabled for CISCO.

Thank You very much for Your article. You are the great!

Hi,

(admittedly, i am new to freeradius , so please excuse my ignorance)

Working through your instructions and testing freeradius against pam (first section)

When I configure /etc/raddb/users as suggested

[root@radius ~]# cat /etc/raddb/users | grep -vP '^#' | cat -s

DEFAULT         Group == "disabled", Auth-Type := Reject
                Reply-Message = "Your account has been disabled."

DEFAULT         Auth-Type := PAM

DEFAULT Framed-Protocol == PPP
        Framed-Protocol = PPP,
        Framed-Compression = Van-Jacobson-TCP-IP

DEFAULT Hint == "CSLIP"
        Framed-Protocol = SLIP,
        Framed-Compression = Van-Jacobson-TCP-IP

DEFAULT Hint == "SLIP"
        Framed-Protocol = SLIP

[root@radius ~]#

i am unable to auth:

[root@radius ~]# radtest raduser p4ssw0rd localhost 0 testing123
Sending Access-Request Id 1 from 0.0.0.0:34941 to 127.0.0.1:1812
        User-Name = 'raduser'
        User-Password = 'p4ssw0rd'
        NAS-IP-Address = 10.52.10.1
        NAS-Port = 0
        Message-Authenticator = 0x00
Received Access-Reject Id 1 from 127.0.0.1:1812 to 127.0.0.1:34941 length 53
        Reply-Message = 'Your account has been disabled.'
(0) -: Expected Access-Accept got Access-Reject
[root@radius ~]#

reading the documentation around the updated lines in the file, it indicates

#
# Deny access for a group of users.
#
# Note that there is NO 'Fall-Through' attribute, so the user will not
# be given any additional resources.
#

so i tried the following

[root@radius ~]# cat /etc/raddb/users | grep -vP '^#' | cat -s

DEFAULT         Auth-Type := PAM

DEFAULT         Group == "disabled", Auth-Type := Reject
                Reply-Message = "Your account has been disabled."

DEFAULT Framed-Protocol == PPP
        Framed-Protocol = PPP,
        Framed-Compression = Van-Jacobson-TCP-IP

DEFAULT Hint == "CSLIP"
        Framed-Protocol = SLIP,
        Framed-Compression = Van-Jacobson-TCP-IP

DEFAULT Hint == "SLIP"
        Framed-Protocol = SLIP

[root@radius ~]#

and it works perfectly:

[root@radius ~]# radtest raduser p4ssw0rd localhost 0 testing123
Sending Access-Request Id 159 from 0.0.0.0:34697 to 127.0.0.1:1812
        User-Name = 'raduser'
        User-Password = 'p4ssw0rd'
        NAS-IP-Address = 10.52.10.1
        NAS-Port = 0
        Message-Authenticator = 0x00
Received Access-Accept Id 159 from 127.0.0.1:1812 to 127.0.0.1:34697 length 20
[root@radius ~]#

Should the DEFAULT Auth-Type be added before the Default Group == "disabled section ?

After following this guide I have a functional RADIUS server authenticating requests to PAM (and then to AD via SSSD), but whatever magic is supposed to lead PAM (or RADIUS? I can't tell where this is supposed to happen) to strip off the last six characters received and use them as your OTP code doesn't appear to be happening. If I put in my password, I get an Accept, if I put in my password with OTP immediately appended, I get a reject.

Hi, this wiki is just the sort of thing I've been search for a long time. Thank you, I love it!

The OSVDC seems pretty tied to CentOS and FreeNAS. As I normally run Debian, I wonder if there's a version of the wiki, or any plans to add to add instructions, so that virtualization with the oVirt Virt. Appliance is shown to be feasble?

What do you think of this idea? Thanks!