Hello,
I have been asked to configure FreeIPA 4.4 servers to handle VPN authentication using a FreeRADIUS server, with 2FA being generated by a Yubikey given to each user.
The existing radius server configuration uses PAM sssd and yubico modules with a static file for the Yubikeys, and works with the token appended to the password. The sssd functions as a user lookup to FreeIPA.
I am hoping to be able to migrate the configuration to use only FreeRADIUS and FreeIPA with dynamic lookups, but I am not sure where to start.
Is there a recommended method, like using the radius ldap module, to query username, password, and Yubikey values?
Does anyone have a working implementation of something similar?
Cheers, Dagan
Hallo,
Dagan McGregor via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
I have been asked to configure FreeIPA 4.4 servers to handle VPN
What kind of VPN do you use? What client do you use?
authentication using a FreeRADIUS server, with 2FA being generated by a Yubikey given to each user.
Is the Yubikey enrolled in FreeIPA? Or do you use Yubico's cloud servers, or something else?
The existing radius server configuration uses PAM sssd and yubico modules with a static file for the Yubikeys, and works with the token appended to the password. The sssd functions as a user lookup to FreeIPA.
Is there a recommended method, like using the radius ldap module, to query username, password, and Yubikey values?
I do have my Yubikey enrolled in Privacyidea. In FreeIPA I authenticate my user with RADIUS, which in turn asks Privacyidea. Privacyidea uses LDAP from FreeIPA as my userstore (and can authenticate against it with the password only). pam_sss turns to FreeIPA for authentication and asks me for "First Factor" (aka password) and "Second Factor2 (aka OTP).
Does anyone have a working implementation of something similar?
If that works for your VPN needs to be checked. If you get only one prompt, try password+OTP.
Jochen
On 13 June 2017 5:01:31 AM NZST, Jochen Hein via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hallo,
Dagan McGregor via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
I have been asked to configure FreeIPA 4.4 servers to handle VPN
What kind of VPN do you use? What client do you use?
authentication using a FreeRADIUS server, with 2FA being generated by a Yubikey given to each user.
Is the Yubikey enrolled in FreeIPA? Or do you use Yubico's cloud servers, or something else?
The existing radius server configuration uses PAM sssd and yubico modules with a static file for the Yubikeys, and works with the token appended to the password. The sssd functions as a user lookup to FreeIPA.
Is there a recommended method, like using the radius ldap module, to query username, password, and Yubikey values?
I do have my Yubikey enrolled in Privacyidea. In FreeIPA I authenticate my user with RADIUS, which in turn asks Privacyidea. Privacyidea uses LDAP from FreeIPA as my userstore (and can authenticate against it with the password only). pam_sss turns to FreeIPA for authentication and asks me for "First Factor" (aka password) and "Second Factor2 (aka OTP).
Does anyone have a working implementation of something similar?
If that works for your VPN needs to be checked. If you get only one prompt, try password+OTP.
Jochen
Hi,
The VPN is Cisco, we use openconnect to connect to it currently and it works without a problem.
The Yubikeys in the existing configuration are in a static file, which does reference a cloud api key but I am not sure if this is required?
I am hoping to be able to register each Yubikey against a user is FreeIPA and not have to use any external components to verify them.
But I am looking for some guidance on how that configuration might work.
Cheers, Dagan
Hello Dagan,
The VPN is Cisco, we use openconnect to connect to it currently and it works without a problem.
I use ocserv on my VPN server and openconnect - normally with GSSAPI, but I'll try with password/OTP.
The Yubikeys in the existing configuration are in a static file, which does reference a cloud api key but I am not sure if this is required?
No, it is not required.
I am hoping to be able to register each Yubikey against a user is FreeIPA and not have to use any external components to verify them.
How do you use the two slots on the yubikey? I do use slot 1 with a self programmed yubico mode, but you can also enroll a yubikey directly into FreeIPA. I was happy to overwrite slot 1, but you might want to use slot 2.
But I am looking for some guidance on how that configuration might work.
I guess it's almost too easy...
- enable OTP in freeipa: ipa config-mod --user-auth-type='password' --user-auth-type='otp'
- enroll the yubikey: ipa otptoken-add-yubikey <user> --slot=<1 or 2>
beware that the slot will be overwritten and the secret programmed there will be lost.
- enable OTP for the user ipa user-mod <user> --user-auth-type='password' --user-auth-type='otp'
On your RADIUS server just use PAM-sss against FreeIPA.
My ocserv talks pam directly and asks for "First Factor" and "Second Factor". If RADIUS only asks for "Password", just enter <password><OTP>.
That's it.
Jochen
freeipa-users@lists.fedorahosted.org
-
Dagan McGregor -
Jochen Hein