2FA - Active Directory ntlm_auth and yubikey

David Herselman dhe at syrex.co
Wed Jul 28 16:53:59 CEST 2021


The how-to guide you provided the link to should be a complete start to finish guide on being able to do CHAP and MS-CHAPv2 authentication against AD without having to modify the user details. You however can not cut the password string apart as MS-CHAPv2 sends a hash of the hash so we replace the username with the YubiKey OTP and essentially rely on FreeRADIUS ulang having an index whereby it replaces the username, which then contains the YubiKey OTP, with the associated user's username.

Ie: The first 12 characters of a YubiKey OTP uniquely identify that specific YubiKey. Simply duplicate the following reference example lines where you can then associate the identity of each YubiKey with AD usernames:
                case cccccct00001 {update request {sAMAccountName = "davidh"}}
                case cccccct00002 {update request {sAMAccountName = "philipo"}}

The example you reference details how to achieve YubiKey MFA authentication via RADIUS whereby the example demonstrates referencing access control based on AD security group membership and provides support for platforms that do RADIUS PAP (whereby you can submit the username as the username and then have the password comprise of the actual password + YubiKey OTP) or RADIUS MS-CHAP (whereby the username is the YubiKey OTP and the password is the password ony).

David Herselman

-----Original Message-----
From: Freeradius-Users <freeradius-users-bounces+dhe=syrex.co at lists.freeradius.org> On Behalf Of Steven Vacaroaia
Sent: Wednesday, 28 July 2021 3:10 PM
To: freeradius-users at lists.freeradius.org
Subject: 2FA - Active Directory ntlm_auth and yubikey


I have been scouring the Internet for a few days now looking for information about setting up 2 FA with AD (ntlm_auth) and Yubikey

I found this , which was very useful but it seems to rely on adding the yubikey to the AD account .
I was hoping to be able to do it without making changes to the AD accounts Is this possible ?


Basically, the workflow that I am looking for is

     1. configure Apache website with AddRadiusAuth pointing to radius server (DONE)
      2. configure freeradius ntlm_auth ( by leveraging samba/winbind)
           I was able to connect to the website using my AD credentials
     3. configure self-hosted yubico server to validate yubikeys (DONE)
      3. install and configure freeradius yubikey
          This I am not sure how to test
     4. configure freeradius to authenticate via ntlm_auth and, if successful, via yubikey
           This where I am stuck

Here are some details - Yubikey validation server -  where Apache website is hosted -  FreeRADIUS Version 3.0.16

ntlm_auth: Program executed successfully
(0)     [ntlm_auth] = ok
(0)     if (ok) {
(0)     if (ok)  -> TRUE
(0)     if (ok)  {
(0)       update reply {
(0)         EXPAND %{randstr:aaaaaaaaaaaaaaaa}
(0)            --> t6cJ6I2cWiGii1aG
(0)         State := 0x7436634a364932635769476969316147
(0)         Reply-Message := "Please enter OTP"
(0)       } # update reply = noop
(0)       policy challenge {
(0)         update control {
(0)           &Response-Packet-Type = Access-Challenge
(0)         } # update control = noop
(0)         [handled] = handled
(0)       } # policy challenge = handled
(0)     } # if (ok)  = handled
(0)   } # Auth-Type ntlm_auth = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0)   Challenge { ... } # empty sub-section is ignored
(0) Sent Access-Challenge Id 105 from to length 0
(0)   State := 0x7436634a364932635769476969316147
(0)   Reply-Message := "Please enter OTP"
(0) Finished request
Waking up in 4.9 seconds.

sites-enabled excerpt

 if (!control:Auth-Type) {
          update control {
             Auth-Type = "ntlm_auth"
authenticate {
         Auth-Type ntlm_auth {
                if (ok) {
                        update reply {
                                State := "%{randstr:aaaaaaaaaaaaaaaa}"
                                Reply-Message := "Please enter OTP"
        Auth-Type PAP {
        Auth-Type CHAP {
        Auth-Type MS-CHAP {

yubikey {
        id_length = 12
        split = yes
        decrypt = no
        validate = yes
        validation {
                servers {
                        uri = ''
                client_id = 1
                api_key = 'my_key'
                pool {
                        start = ${thread[pool].start_servers}
                        min = ${thread[pool].min_spare_servers}
                        max = ${thread[pool].max_servers}
                        uses = 0
                        retry_delay = 30
                        lifetime = 0
                        idle_timeout = 60
                        spread = yes

Any guidance / help will be greatly appreciated Also, if there is a better scalable/ enterprise ready way to configure freeradius 2FA with AD and  Yubikey I'll be happy to look into it

Many thanks
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list