Freeradius and 2 Factor Authentication

Cornelius Kölbel cornelius.koelbel at
Mon Jun 13 13:18:07 CEST 2016

Am Montag, den 13.06.2016, 11:46 +0100 schrieb Phil Mayers:
> On 12/06/2016 19:30, Cornelius Kölbel wrote:
> >> We've looked at this in detail, and there are about 250 people in our
> >> organisation of 30k+ that could justify a hard token.
> >
> > So you should choose a solution, where you can combine soft tokens, text
> > messages, OTPs via email *argh* and hardware tokens, just as you wish.
> > This would make the best sense for your scenario.
> Ideally yes. So I'm very supportive of the idea of a standard set of 
> protocols that can integrate all of the above.
> In reality, cost and vendor support for our most exposed apps (Office 
> 365, web-based SAML/Shibboleth auth) will matter hugely.

Oups, we left the RADIUS track. ;-)
Are you bound to a certain IdP like ADFS? Have you implemented
shibboleth? E.g. SimpleSAMLphp has a bunch of plugins that authenticate
an 2FA backend. I think they have a native yubikey plugin. But there is
also a privacyIDEA plugin. You can manage all kind of tokens in
privacyIDEA (Disclaimer: I am developing this 2FA auth backend, which
supports hardware HOTP/TOTP, smartphones, yubikey, sms, email...).
Usually you will only have to get support/SLA for such a setup.
Of course there a lot of plugins/connectors for ADFS, too. Which might
result in more licenses costs.

Here is a video, where you can even use U2F tokens (under certain

Cornelius Kölbel
cornelius.koelbel at
+49 151 2960 1417

NetKnights GmbH
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the Freeradius-Users mailing list