I've been attempting to integrate yubikeys with freeradius and have had great success with the included yubikey module authenticating against both stored aes keys and a private otp validation server. However I am now attempting to use them in conjunction with EAP-GTC and am slightly lost. Under the gtc section of the eap module config i see that a user password is returned from the connecting client and passed onto another module for authentication. Is it possible to then pass this to the yubikey module to extract the otp portion, authenticate the otp and then continue with PAP authentication using the users password? Is there another way i should be going about this?
Sorry I forgot to mention that my goal is to have the Yubikey-OTP attribute set in order to authenticate using both password & yubikey. If I set the gtc auth_type to PAP and only set "yubikey" under the Auth-Type PAP of my sites configuration it works however that only allows me to authenticate using the otp, not otp & password. Cheers, Pete On 1/10/2014 at 1:42 PM, cellkites@hushmail.com wrote:I've been attempting to integrate yubikeys with freeradius and have had great success with the included yubikey module authenticating against both stored aes keys and a private otp validation server. However I am now attempting to use them in conjunction with EAP-GTC and am slightly lost. Under the gtc section of the eap module config i see that a user password is returned from the connecting client and passed onto another module for authentication. Is it possible to then pass this to the yubikey module to extract the otp portion, authenticate the otp and then continue with PAP authentication using the users password? Is there another way i should be going about this?
cellkites@hushmail.com wrote:
Sorry I forgot to mention that my goal is to have the Yubikey-OTP attribute set in order to authenticate using both password & yubikey. If I set the gtc auth_type to PAP and only set "yubikey" under the Auth-Type PAP of my sites configuration it works however that only allows me to authenticate using the otp, not otp & password.
You can do something like this: authenticate { ... Auth-Type dual { // yubikey // pap checks // unlang // etc. } ... } Then sent the EAP-GTC "auth_type" to "dual". You'll have to figure out what to put in the "dual" section. But that shouldn't be too difficult. Alan DeKok.
The issue here is probably that you need to call yubikey.authorize to do the otp/password split, then call yubikey.
On 1 Oct 2014, at 10:19, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
The issue here is probably that you need to call yubikey.authorize to do the otp/password split, then call yubikey.
yubikey.authorize needs to be called after EAP-GTC has added the User-Password attribute, so it can split the string into Yubikey-OTP and User-Password. yubikey(.authenticate) will take care of validating Yubikey-OTP with the AES key, and PAP can be used to check the password. Usually User-Password is available in authorize {} which is why the logic to do the splitting is there. IIRC yubikey.authorize also splits out Yubikey-Public-ID, which you should really be using to lookup the AES key and not User-Name (else the user can only ever have one key). If the EAP sub-module is extracting the User-Password in authorize, you probably want something like: authorize { eap if (ok || updated) { yubikey <sql/ldap/files> (set control:Yubikey-Key and control:Cleartext-Password) } } authenticate { yubikey { yubikey pap } } -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS development team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
participants (3)
-
Alan DeKok -
Arran Cudbard-Bell -
cellkites@hushmail.com