On 1 Oct 2014, at 10:19, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
The issue here is probably that you need to call yubikey.authorize to do the otp/password split, then call yubikey.
yubikey.authorize needs to be called after EAP-GTC has added the User-Password attribute, so it can split the string into Yubikey-OTP and User-Password. yubikey(.authenticate) will take care of validating Yubikey-OTP with the AES key, and PAP can be used to check the password. Usually User-Password is available in authorize {} which is why the logic to do the splitting is there. IIRC yubikey.authorize also splits out Yubikey-Public-ID, which you should really be using to lookup the AES key and not User-Name (else the user can only ever have one key). If the EAP sub-module is extracting the User-Password in authorize, you probably want something like: authorize { eap if (ok || updated) { yubikey <sql/ldap/files> (set control:Yubikey-Key and control:Cleartext-Password) } } authenticate { yubikey { yubikey pap } } -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2