Freeradius w/ FreeIPA and DUO 2FA

Andrew Meyer andrewm659 at
Mon Jul 29 16:59:08 CEST 2019

 My apologies.  Currently I have a FreeIPA setup which is running my LDAP database.  This also has a 2-way trust to my Active Directory setup so that my Windows users can log in to Linux servers.  Redhat has their own OTP/2FA/MFA built-in to FreeIPA but we want to use Duo to do MFA.  I have asked on this mailing list and the FreeIPA ,ailing list and I have read that it is OR might be possible to use a 3rd party MFA service such as Duo instead of the built-in on e from Redhat.  However the only way to achieve this is through a RADIUS server.
Some of the other articles that I have read along with answer to questions I have posed on the FreeRADIUS and FreeIPA mailing list say that in order to to use a 3rd party MFA/2FA service with FreeIPA I will need to setup Kerberos authentication to make this happen.  
I have configured freeRADIUS with your repo from to use LDAP and kerberos (not at the same time).
What is the best way to configure with RADIUS to achieve my goal?
Also, I have already generated a Kerberos Ticket/Token from FreeIPA and installed it on my radius server.  I have configured FreeRADIUS to look at that token upon starting the service.  My next question/issue is: Do I just change the Auth-Type in the /etc/raddb/users config to krb5?  I suspect there MIGHT be more I have to do.  
Looking for further guidance and hope this helps.
Thanks again,Andrew
    On Friday, July 26, 2019, 06:22:13 PM CDT, Alan DeKok <aland at> wrote:  
 On Jul 26, 2019, at 4:41 PM, Andrew Meyer via Freeradius-Users <freeradius-users at> wrote:
> Apologizing for starting a new thread I had messages turned off for a while.  But this continues from the previous emails I sent.  I have successfully gotten FreeRADIUS to work with LDAP and am working on the kerberos portion.  Will these need to be configured together?  When I go to configure the users would I change the Auth-Type := to krb5 instead of LDAP?

  It depends on what you want to do.

  Again, give *clear explanations* as to what you have, and what you want.

  "configure the users" to do WHAT?  We can't read your mind.  You have to write things down in messages for us to understand them.

  Alan DeKok.


More information about the Freeradius-Users mailing list