Hello Dagan,

> The VPN is Cisco, we use openconnect to connect to it currently and it
> works without a problem.

I use ocserv on my VPN server and openconnect - normally with GSSAPI,
but I'll try with password/OTP.

> The Yubikeys in the existing configuration are in a static file, which
> does reference a cloud api key but I am not sure if this is required?

No, it is not required.

> I am hoping to be able to register each Yubikey against a user is
> FreeIPA and not have to use any external components to verify them.

How do you use the two slots on the yubikey? I do use slot 1 with a self
programmed yubico mode, but you can also enroll a yubikey directly into
FreeIPA.  I was happy to overwrite slot 1, but you might want to use
slot 2.

> But I am looking for some guidance on how that configuration might work. 

I guess it's almost too easy...

- enable OTP in freeipa:
  ipa config-mod --user-auth-type='password' --user-auth-type='otp'

- enroll the yubikey:
  ipa otptoken-add-yubikey <user> --slot=<1 or 2>

beware that the slot will be overwritten and the secret programmed
  there will be lost.

- enable OTP for the user
  ipa user-mod <user> --user-auth-type='password' --user-auth-type='otp'

On your RADIUS server just use PAM-sss against FreeIPA.

My ocserv talks pam directly and asks for "First Factor" and "Second
Factor". If RADIUS only asks for "Password", just enter <password><OTP>.

That's it.


This space is intentionally left blank.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to