Hello Dagan, > The VPN is Cisco, we use openconnect to connect to it currently and it > works without a problem.
I use ocserv on my VPN server and openconnect - normally with GSSAPI, but I'll try with password/OTP. > The Yubikeys in the existing configuration are in a static file, which > does reference a cloud api key but I am not sure if this is required? No, it is not required. > I am hoping to be able to register each Yubikey against a user is > FreeIPA and not have to use any external components to verify them. How do you use the two slots on the yubikey? I do use slot 1 with a self programmed yubico mode, but you can also enroll a yubikey directly into FreeIPA. I was happy to overwrite slot 1, but you might want to use slot 2. > But I am looking for some guidance on how that configuration might work. I guess it's almost too easy... - enable OTP in freeipa: ipa config-mod --user-auth-type='password' --user-auth-type='otp' - enroll the yubikey: ipa otptoken-add-yubikey <user> --slot=<1 or 2> beware that the slot will be overwritten and the secret programmed there will be lost. - enable OTP for the user ipa user-mod <user> --user-auth-type='password' --user-auth-type='otp' On your RADIUS server just use PAM-sss against FreeIPA. My ocserv talks pam directly and asks for "First Factor" and "Second Factor". If RADIUS only asks for "Password", just enter <password><OTP>. That's it. Jochen -- This space is intentionally left blank. _______________________________________________ FreeIPA-users mailing list -- firstname.lastname@example.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org