Dagan McGregor via FreeIPA-users <freeipa-users@lists.fedorahosted.org>

> I have been asked to configure FreeIPA 4.4 servers to handle VPN

What kind of VPN do you use?  What client do you use?

> authentication using a FreeRADIUS server, with 2FA being generated by
> a Yubikey given to each user.

Is the Yubikey enrolled in FreeIPA? Or do you use Yubico's cloud
servers, or something else?

> The existing radius server configuration uses PAM sssd and yubico
> modules with a static file for the Yubikeys, and works with the token
> appended to the password. The sssd functions as a user lookup to
> FreeIPA.

> Is there a recommended method, like using the radius ldap module, to
> query username, password, and Yubikey values?

I do have my Yubikey enrolled in Privacyidea.  In FreeIPA I authenticate
my user with RADIUS, which in turn asks Privacyidea.  Privacyidea uses
LDAP from FreeIPA as my userstore (and can authenticate against it with
the password only).  pam_sss turns to FreeIPA for authentication and
asks me for "First Factor" (aka password) and "Second Factor2 (aka OTP).

> Does anyone have a working implementation of something similar? 

If that works for your VPN needs to be checked. If you get only one
prompt, try password+OTP.


This space is intentionally left blank.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to