Freeradius w/ FreeIPA and DUO 2FA

Alan DeKok aland at
Mon Jul 29 19:24:31 CEST 2019

On Jul 29, 2019, at 10:59 AM, Andrew Meyer via Freeradius-Users <freeradius-users at> wrote:
> My apologies.  Currently I have a FreeIPA setup which is running my LDAP database.  This also has a 2-way trust to my Active Directory setup so that my Windows users can log in to Linux servers.  Redhat has their own OTP/2FA/MFA built-in to FreeIPA but we want to use Duo to do MFA.

  OK.  What kind of multi-factor authentication?

  You're talking about high-level concepts, not technical details.  What goes into the packets / password / whatever?  What parts of that are used for what purpose?

>  I have asked on this mailing list and the FreeIPA ,ailing list and I have read that it is OR might be possible to use a 3rd party MFA service such as Duo instead of the built-in on e from Redhat.  However the only way to achieve this is through a RADIUS server.
> Some of the other articles that I have read along with answer to questions I have posed on the FreeRADIUS and FreeIPA mailing list say that in order to to use a 3rd party MFA/2FA service with FreeIPA I will need to setup Kerberos authentication to make this happen.

  Maybe.  But you're still being excessively vague about what you want to do.

  In most circumstances, two factor authentication is done via something like this:

* User-Password is sent as 6 digits of token, followed by the real password
* FreeRADIUS splits that into two pieces
* the token part is checked against the token server
  * if it fails the user is rejected
* otherwise, the password part is checked against the LDAP server.

  Do you have a similar description you can give?

  And no, we don't want more buzzwords of "2FA MFA using LDAP and Kerberos".
> I have configured freeRADIUS with your repo from to use LDAP and kerberos (not at the same time).
> What is the best way to configure with RADIUS to achieve my goal?

  Use words to describe the goal you want to achieve.

  Right now, you're just posting sentences that contain mish-mashes of technological verbiage.  There's no *goal* being described.

> Also, I have already generated a Kerberos Ticket/Token from FreeIPA and installed it on my radius server.  I have configured FreeRADIUS to look at that token upon starting the service.  My next question/issue is: Do I just change the Auth-Type in the /etc/raddb/users config to krb5?  I suspect there MIGHT be more I have to do.  

  Very likely, yes.  But since you're not describing what you want to do, it's impossible to give you any advice.  And, it's impossible to implement anything.

  This isn't difficult.  Write down what you want to happen, as I did above.  If you can't do that, then what you want is impossible.

  Alan DeKok.

More information about the Freeradius-Users mailing list