Hi All,
I'm trying to set up a Cisco/Meraki VPN appliance to authenticate to
FreeIPA using two factor authentication (I have Google Authenticator and
Yubikey set up and working in FreeIPA)
Meraki can do Radius to authenticate a user
I've set up a FreeRadius server and set it up to use FreeIPA as the
authentication source
I tried the following as the back end in Radius:
LDAP: can authenticate both with password and password+OTP, but if I
want to enforce OTP on VPN, I need to enforce OTP on all users, which is
not what we want
Kerberos: I've set up a 'vpn' principle and can enforce 2FA on it
First I got 'ERROR: krb5 : Error verifying credentials (-1765328174):
Generic preauthentication failure', so I set up 'Anonymous kerberos'
(which is an adventure by itself), but it's still not working
It might be possible to use Radius -> PAM, but I'm not sure how
Any help appreciated,
Gabriel
P.s. Meraki Wireless (WPA2-Enterprise) and 802.1x port security work
fine against the Radius server (No 2FA required)
--
Gabriel Faber
Senior Operations Engineer
SoundHound Inc.
408-441-3267
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
