Hallo, Dagan McGregor via FreeIPA-users <freeipa-users@lists.fedorahosted.org> writes:
> I have been asked to configure FreeIPA 4.4 servers to handle VPN What kind of VPN do you use? What client do you use? > authentication using a FreeRADIUS server, with 2FA being generated by > a Yubikey given to each user. Is the Yubikey enrolled in FreeIPA? Or do you use Yubico's cloud servers, or something else? > The existing radius server configuration uses PAM sssd and yubico > modules with a static file for the Yubikeys, and works with the token > appended to the password. The sssd functions as a user lookup to > FreeIPA. > Is there a recommended method, like using the radius ldap module, to > query username, password, and Yubikey values? I do have my Yubikey enrolled in Privacyidea. In FreeIPA I authenticate my user with RADIUS, which in turn asks Privacyidea. Privacyidea uses LDAP from FreeIPA as my userstore (and can authenticate against it with the password only). pam_sss turns to FreeIPA for authentication and asks me for "First Factor" (aka password) and "Second Factor2 (aka OTP). > Does anyone have a working implementation of something similar? If that works for your VPN needs to be checked. If you get only one prompt, try password+OTP. Jochen -- This space is intentionally left blank. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
