On 14 Dec 2015, at 08:36, David Aldwinckle <daldwinckle@uwaterloo.ca> wrote:
Hi Arran,
Thanks for the explanation. I configured the NAS retry interval and that fixed my problem.
Yubikey tokens can be used with Duo. I'm not familiar with the old tokens, so I can't say if they're the same.
I looked at the yubikey module just now and I'm not confident that it could be configured to work with the Duo API.
No, probably not.
From the Duo API documentation, for requests that include a passcode, you need to use a POST method like this:
$ export IKEY= # your Auth API application's "Integration key" $ export SKEY= # your Auth API application's "Secret key" $ export HOST= # your Auth API application's "API hostname"
python -m duo_client.client --ikey $IKEY --skey $SKEY --host $HOST --path /auth/v2/auth --method POST username=$username factor=passcode passcode=$passcode
https://www.duosecurity.com/docs/authapi-guide#passcode
If the user doesn't have a token, they can use the smartphone app which sends an "Approve?/Deny?" message. In that case there is no passcode, so the process is more complex and involves querying for a users enrollment status and device info first.
https://www.duosecurity.com/docs/authapi-guide#secondary-(duo)-authenticatio...
Ah, OK, not Yubikey Duo. OTP vendors always managed to make this more complicated and frustrating than it needs to be *sigh*. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2