Comments on Active Directory IdP and YubiKey OTP integration that supports MS-CHAP v2

David Herselman dhe at
Tue Feb 23 18:37:03 CET 2021


Just a small update with regards to getting the desired behaviour. One can not perform regex operations on IP attributes in the users file. The following will subsequently *not* work:
  DEFAULT Yubikey-OTP !* "", Packet-Src-IP-Address =~ "^196\.10\.10", Auth-Type := Reject
          Reply-Message = "Access Denied - 2FA required"

Herewith the same thing in unlang, place it just after the '!control:Auth-Type && User-Password' check in the 'authorize {' section:

  if (!&Yubikey-OTP) {
          if (&Packet-Src-IP-Address =~ /^196\.10\.10/) {
                  update reply {Reply-Message := "Access Denied - 2FA required"}

David Herselman 

More information about the Freeradius-Users mailing list