Comments on Active Directory IdP and YubiKey OTP integration that supports MS-CHAP v2
David Herselman
dhe at syrex.co
Tue Feb 23 18:37:03 CET 2021
Hi,
Just a small update with regards to getting the desired behaviour. One can not perform regex operations on IP attributes in the users file. The following will subsequently *not* work:
DEFAULT Yubikey-OTP !* "", Packet-Src-IP-Address =~ "^196\.10\.10", Auth-Type := Reject
Reply-Message = "Access Denied - 2FA required"
Herewith the same thing in unlang, place it just after the '!control:Auth-Type && User-Password' check in the 'authorize {' section:
if (!&Yubikey-OTP) {
if (&Packet-Src-IP-Address =~ /^196\.10\.10/) {
update reply {Reply-Message := "Access Denied - 2FA required"}
reject
}
}
Regards
David Herselman
More information about the Freeradius-Users
mailing list