Dagan McGregor via FreeIPA-users <email@example.com>
> I have been asked to configure FreeIPA 4.4 servers to handle VPN
What kind of VPN do you use? What client do you use?
> authentication using a FreeRADIUS server, with 2FA being generated by
> a Yubikey given to each user.
Is the Yubikey enrolled in FreeIPA? Or do you use Yubico's cloud
servers, or something else?
> The existing radius server configuration uses PAM sssd and yubico
> modules with a static file for the Yubikeys, and works with the token
> appended to the password. The sssd functions as a user lookup to
> Is there a recommended method, like using the radius ldap module, to
> query username, password, and Yubikey values?
I do have my Yubikey enrolled in Privacyidea. In FreeIPA I authenticate
my user with RADIUS, which in turn asks Privacyidea. Privacyidea uses
LDAP from FreeIPA as my userstore (and can authenticate against it with
the password only). pam_sss turns to FreeIPA for authentication and
asks me for "First Factor" (aka password) and "Second Factor2 (aka OTP).
> Does anyone have a working implementation of something similar?
If that works for your VPN needs to be checked. If you get only one
prompt, try password+OTP.
This space is intentionally left blank.
FreeIPA-users mailing list -- firstname.lastname@example.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org