EAP-GTC & Yubikey

Arran Cudbard-Bell a.cudbardb at freeradius.org
Wed Oct 1 16:50:04 CEST 2014


On 1 Oct 2014, at 10:19, Arran Cudbard-Bell <a.cudbardb at freeradius.org> wrote:

> The issue here is probably that you need to call yubikey.authorize to do the otp/password split, then call yubikey.

yubikey.authorize needs to be called after EAP-GTC has added the User-Password attribute, so it can split the
string into Yubikey-OTP and User-Password.

yubikey(.authenticate) will take care of validating Yubikey-OTP with the AES key, and PAP can be used to check
the password.

Usually User-Password is available in authorize {} which is why the logic to do the splitting is there. IIRC 
yubikey.authorize also splits out Yubikey-Public-ID, which you should really be using to lookup the AES key and
not User-Name (else the user can only ever have one key).

If the EAP sub-module is extracting the User-Password in authorize, you probably want something like:

authorize {
eap
if (ok || updated) {
	yubikey
	<sql/ldap/files> (set control:Yubikey-Key and control:Cleartext-Password)
}
}

authenticate {
yubikey {
	yubikey
	pap
}
}

-Arran

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS development team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20141001/790f3f29/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 881 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20141001/790f3f29/attachment.pgp>


More information about the Freeradius-Users mailing list