Using Google Authenticator for MFA with RADIUS
As discussed, a 2FA authentication scheme is the best option for accessing public-facing services, especially any services facing the public internet, whereas in days gone by, you might have configured a simple user ID and password for authentication. With the ongoing Short Message Service (SMS) compromises, we see it illustrated in the press why SMS messages are a poor choice for 2FA—it's lucky that tools such as Google Authenticator can be configured for this use case at no cost.
First, we'll install a new package that allows authentication to Google Authenticator, as follows:
$ sudo apt-get install libpam-google-authenticator -y
In the users file, we'll change user authentication to use pluggable authentication modules (PAMs), as follows:
# Instruct FreeRADIUS to use PAM to authenticate users DEFAULT Auth-Type := PAM $ sudo vi /etc/freeradius/3.0/sites-enabled/default
Uncomment the pam line, like...
