I've always wanted to find a cost effective way to implement 2-factor authentication. Commercial solutions are expensive, and if you are a small business, you might not want to spend a small fortune on implementing an enterprise solution with hardware tokens. I stumbled across Google Authenticator a while back and started to wonder how it can be used to implement a free 2-factor authentication solution in my lab. I also found a few posts that suggested teaming it up with Freeradius and that's really where this post started.

After several attempts, I've managed to find a quick and easy way to get it working. Well, at first glance you'll probably disagree as this is quite a lengthy post, but the steps required to implement the solution are actually very simple. In this blog post, I've tried to explain each step in order. I do not expect everyone to be a Linux expert, and I kept that in mind whilst writing this post. To be honest, this is version 0.1 of this post and I'll probably expand this post over the next few weeks to include overall solution diagrams and extra information. For now, I've managed to at least write up the steps required to implement the solution.

Overview

This solution is based on CentOS 6.3. You can use any other Linux distribution, but the instructions in this post are CentOS/RHEL specific. We will be using Freeradius, an open source Radius server as the main component. Freeradius will make use of Pluggable Authentication Modules (PAM) and PAM will call upon Google Authenticator which is basically a module that is written for PAM. Google Authenticator will verify a user's password together with a token code that changes every 30 seconds. The user will make use of the Google Authenticator mobile APP to obtain a new token code every time a new login is required.

To finish, we will configure VMware Horizon View to make use of RADIUS authentication, and to contact the Freeradius server whenever a user requests a new connection using the View Client.