> The VPN is Cisco, we use openconnect to connect to it currently and it
> works without a problem.
I use ocserv on my VPN server and openconnect - normally with GSSAPI,
but I'll try with password/OTP.
> The Yubikeys in the existing configuration are in a static file, which
> does reference a cloud api key but I am not sure if this is required?
No, it is not required.
> I am hoping to be able to register each Yubikey against a user is
> FreeIPA and not have to use any external components to verify them.
How do you use the two slots on the yubikey? I do use slot 1 with a self
programmed yubico mode, but you can also enroll a yubikey directly into
FreeIPA. I was happy to overwrite slot 1, but you might want to use
> But I am looking for some guidance on how that configuration might work.
I guess it's almost too easy...
- enable OTP in freeipa:
ipa config-mod --user-auth-type='password' --user-auth-type='otp'
- enroll the yubikey:
ipa otptoken-add-yubikey <user> --slot=<1 or 2>
beware that the slot will be overwritten and the secret programmed
there will be lost.
- enable OTP for the user
ipa user-mod <user> --user-auth-type='password' --user-auth-type='otp'
On your RADIUS server just use PAM-sss against FreeIPA.
My ocserv talks pam directly and asks for "First Factor" and "Second
Factor". If RADIUS only asks for "Password", just enter <password><OTP>.
This space is intentionally left blank.
FreeIPA-users mailing list -- email@example.com
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org