Freeradius w/ FreeIPA and DUO 2FA

Andrew Meyer andrewm659 at yahoo.com
Fri Aug 2 17:13:13 CEST 2019


 Hello,What I want to do is bypass the 2FA solution built in to FreeIPA/IPA and use DUO instead when users SSH into servers.  
The goal is to use FreeIPA with DUO but since FreeIPA has its own 2FA/OTP built-in I need to put a RADIUS server in to use a 3rd party 2FA.
Hope this helps in assisting me with my configuration issues.
Thank you again,Andrew

    On Monday, July 29, 2019, 12:24:52 PM CDT, Alan DeKok <aland at deployingradius.com> wrote:  
 
 On Jul 29, 2019, at 10:59 AM, Andrew Meyer via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> 
> My apologies.  Currently I have a FreeIPA setup which is running my LDAP database.  This also has a 2-way trust to my Active Directory setup so that my Windows users can log in to Linux servers.  Redhat has their own OTP/2FA/MFA built-in to FreeIPA but we want to use Duo to do MFA.

  OK.  What kind of multi-factor authentication?

  You're talking about high-level concepts, not technical details.  What goes into the packets / password / whatever?  What parts of that are used for what purpose?

>  I have asked on this mailing list and the FreeIPA ,ailing list and I have read that it is OR might be possible to use a 3rd party MFA service such as Duo instead of the built-in on e from Redhat.  However the only way to achieve this is through a RADIUS server.
> Some of the other articles that I have read along with answer to questions I have posed on the FreeRADIUS and FreeIPA mailing list say that in order to to use a 3rd party MFA/2FA service with FreeIPA I will need to setup Kerberos authentication to make this happen.

  Maybe.  But you're still being excessively vague about what you want to do.

  In most circumstances, two factor authentication is done via something like this:

* User-Password is sent as 6 digits of token, followed by the real password
* FreeRADIUS splits that into two pieces
* the token part is checked against the token server
  * if it fails the user is rejected
* otherwise, the password part is checked against the LDAP server.

  Do you have a similar description you can give?

  And no, we don't want more buzzwords of "2FA MFA using LDAP and Kerberos".
 
> I have configured freeRADIUS with your repo from networkradius.com to use LDAP and kerberos (not at the same time).
> What is the best way to configure with RADIUS to achieve my goal?

  Use words to describe the goal you want to achieve.

  Right now, you're just posting sentences that contain mish-mashes of technological verbiage.  There's no *goal* being described.

> Also, I have already generated a Kerberos Ticket/Token from FreeIPA and installed it on my radius server.  I have configured FreeRADIUS to look at that token upon starting the service.  My next question/issue is: Do I just change the Auth-Type in the /etc/raddb/users config to krb5?  I suspect there MIGHT be more I have to do.  

  Very likely, yes.  But since you're not describing what you want to do, it's impossible to give you any advice.  And, it's impossible to implement anything.

  This isn't difficult.  Write down what you want to happen, as I did above.  If you can't do that, then what you want is impossible.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html  


More information about the Freeradius-Users mailing list