On 13 June 2017 5:01:31 AM NZST, Jochen Hein via FreeIPA-users 
<freeipa-users@lists.fedorahosted.org> wrote:
>
>Hallo,
>
>Dagan McGregor via FreeIPA-users <freeipa-users@lists.fedorahosted.org>
>writes:
>
>> I have been asked to configure FreeIPA 4.4 servers to handle VPN
>
>What kind of VPN do you use?  What client do you use?
>
>> authentication using a FreeRADIUS server, with 2FA being generated by
>> a Yubikey given to each user.
>
>Is the Yubikey enrolled in FreeIPA? Or do you use Yubico's cloud
>servers, or something else?
>
>> The existing radius server configuration uses PAM sssd and yubico
>> modules with a static file for the Yubikeys, and works with the token
>> appended to the password. The sssd functions as a user lookup to
>> FreeIPA.
>
>> Is there a recommended method, like using the radius ldap module, to
>> query username, password, and Yubikey values?
>
>I do have my Yubikey enrolled in Privacyidea.  In FreeIPA I
>authenticate
>my user with RADIUS, which in turn asks Privacyidea.  Privacyidea uses
>LDAP from FreeIPA as my userstore (and can authenticate against it with
>the password only).  pam_sss turns to FreeIPA for authentication and
>asks me for "First Factor" (aka password) and "Second Factor2 (aka
>OTP).
>
>> Does anyone have a working implementation of something similar? 
>
>If that works for your VPN needs to be checked. If you get only one
>prompt, try password+OTP.
>
>Jochen

Hi, 

The VPN is Cisco, we use openconnect to connect to it currently and it works 
without a problem. 

The Yubikeys in the existing configuration are in a static file, which does 
reference a cloud api key but I am not sure if this is required?

I am hoping to be able to register each Yubikey against a user is FreeIPA and 
not have to use any external components to verify them.

But I am looking for some guidance on how that configuration might work. 

Cheers, 
Dagan
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to