Hi All,

I'm trying to set up a Cisco/Meraki VPN appliance to authenticate to FreeIPA using two factor authentication (I have Google Authenticator and Yubikey set up and working in FreeIPA)
Meraki can do Radius to authenticate a user
I've set up a FreeRadius server and set it up to use FreeIPA as the authentication source
I tried the following as the back end in Radius:
LDAP: can authenticate both with password and password+OTP, but if I want to enforce OTP on VPN, I need to enforce OTP on all users, which is not what we want
Kerberos: I've set up a 'vpn' principle and can enforce 2FA on it
First I got 'ERROR: krb5 : Error verifying credentials (-1765328174): Generic preauthentication failure', so I set up 'Anonymous kerberos' (which is an adventure by itself), but it's still not working

It might be possible to use Radius -> PAM, but I'm not sure how

Any help appreciated,


P.s. Meraki Wireless (WPA2-Enterprise) and 802.1x port security work fine against the Radius server (No 2FA required)

Gabriel Faber
Senior Operations Engineer
SoundHound Inc.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to