2FA - Active Directory ntlm_auth and yubikey
Steven Vacaroaia
stef97 at gmail.com
Wed Jul 28 15:09:58 CEST 2021
Hi,
I have been scouring the Internet for a few days now looking for
information about
setting up 2 FA with AD (ntlm_auth) and Yubikey
I found this , which was very useful but it seems to rely on adding the
yubikey to the AD account .
I was hoping to be able to do it without making changes to the AD accounts
Is this possible ?
http://lists.freeradius.org/pipermail/freeradius-users/2021-February/099521.html
Basically, the workflow that I am looking for is
1. configure Apache website with AddRadiusAuth pointing to radius
server (DONE)
2. configure freeradius ntlm_auth ( by leveraging samba/winbind)
(DONE)
I was able to connect to the website using my AD credentials
3. configure self-hosted yubico server to validate yubikeys (DONE)
tested
3. install and configure freeradius yubikey
This I am not sure how to test
4. configure freeradius to authenticate via ntlm_auth and, if
successful, via yubikey
This where I am stuck
Here are some details
10.10.30.111 - Yubikey validation server
10.10.30.112 - where Apache website is hosted
10.10.30.114 - FreeRADIUS Version 3.0.16
"..
ntlm_auth: Program executed successfully
(0) [ntlm_auth] = ok
(0) if (ok) {
(0) if (ok) -> TRUE
(0) if (ok) {
(0) update reply {
(0) EXPAND %{randstr:aaaaaaaaaaaaaaaa}
(0) --> t6cJ6I2cWiGii1aG
(0) State := 0x7436634a364932635769476969316147
(0) Reply-Message := "Please enter OTP"
(0) } # update reply = noop
(0) policy challenge {
(0) update control {
(0) &Response-Packet-Type = Access-Challenge
(0) } # update control = noop
(0) [handled] = handled
(0) } # policy challenge = handled
(0) } # if (ok) = handled
(0) } # Auth-Type ntlm_auth = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) Challenge { ... } # empty sub-section is ignored
(0) Sent Access-Challenge Id 105 from 10.10.30.114:1812 to 10.10.30.112:1026
length 0
(0) State := 0x7436634a364932635769476969316147
(0) Reply-Message := "Please enter OTP"
(0) Finished request
Waking up in 4.9 seconds.
.."
sites-enabled excerpt
if (!control:Auth-Type) {
update control {
Auth-Type = "ntlm_auth"
}
}
}
authenticate {
Auth-Type ntlm_auth {
ntlm_auth
if (ok) {
update reply {
State := "%{randstr:aaaaaaaaaaaaaaaa}"
Reply-Message := "Please enter OTP"
}
challenge
}
}
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
mschap
digest
ntlm_auth
yubikey
eap
..."
/mods-enabled/yubikey
"...
yubikey {
id_length = 12
split = yes
decrypt = no
validate = yes
validation {
servers {
uri = '
http://10.10.30.111/wsapi/2.0/verify?id=%d&otp=%s'
}
client_id = 1
api_key = 'my_key'
pool {
start = ${thread[pool].start_servers}
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
uses = 0
retry_delay = 30
lifetime = 0
idle_timeout = 60
spread = yes
}
}
}
..."
Any guidance / help will be greatly appreciated
Also, if there is a better scalable/ enterprise ready way to configure
freeradius 2FA with AD and Yubikey I'll be happy to look into it
Many thanks
Steven
More information about the Freeradius-Users
mailing list