#下载签名密钥
wget https://lancelot.netknights.it/NetKnights-Release.asc
#确认指纹
gpg --import --import-options show-only --with-fingerprint NetKnights-Release.asc
#添加签名密钥
mv NetKnights-Release.asc /etc/apt/trusted.gpg.d/
#添加仓库
apt install software-properties-common -y
add-apt-repository http://lancelot.netknights.it/community/jammy/stable
#privacyIDEA安装
privacyIDEA Installation: apt update && apt install privacyidea-apache2 privacyidea-radius -y
#添加privacyIDEA web管理员
pi-manage admin add admin -e admin@localhost
#添加 privacyIDEA 本地认证用户:
/opt/privacyidea//bin/privacyidea-create-pwidresolver-user -u ljc -i 10 -p 123456.com -d 'User LJC' >> /etc/privacyidea/privacyidea_user
#其中ljc为用户名 123456.com为密码
1.2 配置radius客户端
vi /etc/freeradius/3.0/clients.conf
在# IPv6 Client前面增加
client palo_alto {
ipaddr = 192.168.0.24
secret = pasecret123
}
保存退出后重启freeradius
systemctl restart freeradius
二、privacyIDEA 配置
2.1隐藏web欢迎信息
![](https://img2023.cnblogs.com/blog/725676/202306/725676-20230616100027128-733534197.png)
![](https://img2023.cnblogs.com/blog/725676/202306/725676-20230616100108425-1329370438.png)
搜索hide,勾选hide_welcome_info隐藏web界面欢迎信息
![](https://img2023.cnblogs.com/blog/725676/202306/725676-20230616100204876-1571710815.png)
修改web超时时间
![](https://img2023.cnblogs.com/blog/725676/202306/725676-20230616100831118-1917432630.png)
2.2创建认证域
![](https://img2023.cnblogs.com/blog/725676/202306/725676-20230616101113542-376318775.png)
![](https://img2023.cnblogs.com/blog/725676/202306/725676-20230616101228105-1060841584.png)
2.3创建认证数据库
![](https://img2023.cnblogs.com/blog/725676/202306/725676-20230616101723975-1067927058.png)
File name 选择第一步安装privacyIDEA时创建的本地密码数据库文件 /etc/privacyidea/privacyidea_user
![](https://img2023.cnblogs.com/blog/725676/202306/725676-20230616101745342-1083620739.png)
返回认证域选择刚刚创建的本地密码数据库并设置优先级
![](https://img2023.cnblogs.com/blog/725676/202306/725676-20230616102033449-1329883490.png)
2.4 设置邮件发送服务器
![](https://img2023.cnblogs.com/blog/725676/202306/725676-20230616102259247-1668756456.png)
填写邮件服务器的相关信息,并保存。填写完毕可点击Send Test Email测试配置是否正确
![](https://img2023.cnblogs.com/blog/725676/202306/725676-20230616102338736-324995956.png)
2.5 设置用户邮件Email Token及超时时间
设置全局超时时间设备为10分钟
![](https://img2023.cnblogs.com/blog/725676/202306/725676-20230616102650235-362625224.png)
设置单个用户的邮箱
![](https://img2023.cnblogs.com/blog/725676/202306/725676-20230616103310768-1986249975.png)
2.6 设置认证策略
![](https://img2023.cnblogs.com/blog/725676/202306/725676-20230616103613974-1171755156.png)
![](https://img2023.cnblogs.com/blog/725676/202306/725676-20230616103646846-1670021011.png)
![](https://img2023.cnblogs.com/blog/725676/202306/725676-20230616103732897-923331568.png)
![](https://img2023.cnblogs.com/blog/725676/202306/725676-20230616103920567-1529622117.png)
输入:Please enter the code you received email
这段文字会出现输入验证码的界面
![](https://img2023.cnblogs.com/blog/725676/202306/725676-20230616103937776-853296558.png)
email_challenge_text: Please enter the code you received email
emailsubject(邮件标题): I think you just received a PaloAlto GlobalProtect OTP
emailtext(邮件内容): {otp} is the you received OTP
![](https://img2023.cnblogs.com/blog/725676/202306/725676-20230616104245308-6818305.png)
![](https://img2023.cnblogs.com/blog/725676/202306/725676-20230616104528330-1859415741.png)
保存后的策略
![](https://img2023.cnblogs.com/blog/725676/202306/725676-20230616104634290-751164807.png)
三、Palo Alto 配置
具体GlobalProtect的配置可参考另一篇博文,这里不再叙述 https://www.cnblogs.com/id404/p/17465413.html
3.1 radius配置
确认radius的服务路由,设备默认从管理口发送radius请求,若需要从其它接口发送radius请求
![](https://img2023.cnblogs.com/blog/725676/202306/725676-20230616105753311-102481042.png)
![](https://img2023.cnblogs.com/blog/725676/202306/725676-20230616110526223-835121321.png)
门户将身份验证配置文件改为 radius
![](https://img2023.cnblogs.com/blog/725676/202306/725676-20230616110732106-2104680289.png)
代理将双因素认证选上
![](https://img2023.cnblogs.com/blog/725676/202306/725676-20230616110949868-298831810.png)
网关将身份验证配置文件改为 radius
![](https://img2023.cnblogs.com/blog/725676/202306/725676-20230616111612339-1695989153.png)
三、客户端登陆
3.1 门户登陆
![](https://img2023.cnblogs.com/blog/725676/202306/725676-20230616112205072-1381800338.png)
![](https://img2023.cnblogs.com/blog/725676/202306/725676-20230616112914008-1165996427.png)
![](https://img2023.cnblogs.com/blog/725676/202306/725676-20230616113031697-1923447056.png)
登陆成功
![](https://img2023.cnblogs.com/blog/725676/202306/725676-20230616113112262-922471552.png)
客户端登陆
![](https://img2023.cnblogs.com/blog/725676/202306/725676-20230616113254567-1806596356.png)
![](https://img2023.cnblogs.com/blog/725676/202306/725676-20230616113314209-313897771.png)
![](https://img2023.cnblogs.com/blog/725676/202306/725676-20230616113353195-1806458623.png)
![](https://img2023.cnblogs.com/blog/725676/202306/725676-20230616113429475-536340447.png)
PA上可以看到用户成功连接
![](https://img2023.cnblogs.com/blog/725676/202306/725676-20230616113635206-38732808.png)
四、TOTP二步验证
4.1 privicyIDEA配置-用户token
删除并新建用户token
删除之前针对用户建立的EMAIL token
![](https://img2023.cnblogs.com/blog/725676/202306/725676-20230620124327589-450632402.png)
![](https://img2023.cnblogs.com/blog/725676/202306/725676-20230620124445857-818770970.png)
新建用户TOTP token
![](https://img2023.cnblogs.com/blog/725676/202306/725676-20230620124600490-778844857.png)
![](https://img2023.cnblogs.com/blog/725676/202306/725676-20230620163059713-337081262.png)
用google authentior或其它TOTP二步验证工具扫描二维码
![](https://img2023.cnblogs.com/blog/725676/202306/725676-20230620125058254-1640245207.png)
4.2 privicyIDEA配置-认证策略
![](https://img2023.cnblogs.com/blog/725676/202306/725676-20230620125234823-1826933897.png)
![](https://img2023.cnblogs.com/blog/725676/202306/725676-20230620125346246-1697031708.png)
取消前面步骤配置的Email选项,只选择以下四项
challenge_response填写 TOTP
challenge_text 内容随意,主要用于提醒用户输入二步验证密码
![](https://img2023.cnblogs.com/blog/725676/202306/725676-20230620125414246-1176768905.png)
![](https://img2023.cnblogs.com/blog/725676/202306/725676-20230620125437628-1296485199.png)
![](https://img2023.cnblogs.com/blog/725676/202306/725676-20230620125457902-962523211.png)
4.3 用户登陆
![](https://img2023.cnblogs.com/blog/725676/202306/725676-20230620133129053-908836607.png)
![](https://img2023.cnblogs.com/blog/725676/202306/725676-20230620133211323-1765699456.png)
登陆成功
![](https://img2023.cnblogs.com/blog/725676/202306/725676-20230620133307297-1729110753.png)
客户端登陆
![](https://img2023.cnblogs.com/blog/725676/202306/725676-20230620133352925-104810645.png)
![](https://img2023.cnblogs.com/blog/725676/202306/725676-20230620133423274-2091400453.png)
![](https://img2023.cnblogs.com/blog/725676/202306/725676-20230620133454970-1641024766.png)
五、多种认证方式
比如用户1 使用邮件二次认证 用户2、3使用TOTP二次认证,用户4直接密码认证不做二次认证,可创建多条策略policy,针对不同用户做不同认证
![](https://img2023.cnblogs.com/blog/725676/202306/725676-20230620142758260-766076876.png)