On 13 June 2017 5:01:31 AM NZST, Jochen Hein via FreeIPA-users
>Dagan McGregor via FreeIPA-users <firstname.lastname@example.org>
>> I have been asked to configure FreeIPA 4.4 servers to handle VPN
>What kind of VPN do you use? What client do you use?
>> authentication using a FreeRADIUS server, with 2FA being generated by
>> a Yubikey given to each user.
>Is the Yubikey enrolled in FreeIPA? Or do you use Yubico's cloud
>servers, or something else?
>> The existing radius server configuration uses PAM sssd and yubico
>> modules with a static file for the Yubikeys, and works with the token
>> appended to the password. The sssd functions as a user lookup to
>> Is there a recommended method, like using the radius ldap module, to
>> query username, password, and Yubikey values?
>I do have my Yubikey enrolled in Privacyidea. In FreeIPA I
>my user with RADIUS, which in turn asks Privacyidea. Privacyidea uses
>LDAP from FreeIPA as my userstore (and can authenticate against it with
>the password only). pam_sss turns to FreeIPA for authentication and
>asks me for "First Factor" (aka password) and "Second Factor2 (aka
>> Does anyone have a working implementation of something similar?
>If that works for your VPN needs to be checked. If you get only one
>prompt, try password+OTP.
The VPN is Cisco, we use openconnect to connect to it currently and it works
without a problem.
The Yubikeys in the existing configuration are in a static file, which does
reference a cloud api key but I am not sure if this is required?
I am hoping to be able to register each Yubikey against a user is FreeIPA and
not have to use any external components to verify them.
But I am looking for some guidance on how that configuration might work.
FreeIPA-users mailing list -- email@example.com
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org