I just set up a freeradius server and would like to be able to authenticate using both the password of a ldap user and the yubico otp generated from their yubikey.
It is working using the ldap password out of the box without any configuration, but I can't figure out the configuration needed for addind the validation of the Yubico OTP...
I have installed the module freeradius-yubikey and configured the module as such:
yubikey {
id_lenght = 12
split = yes
decrypt = no
validate = yes
validation {
servers {
uri = 'http://IP_of_validation_server/wsapi/2.0/verify?id=%d&otp=%s'
}
client_id = 1
api_key = 'my_api_key'
pool {
start = ${thread[pool].start_servers}
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
uses = 0
retry_delay = 30
lifetime = 0
idle_timeout = 60
spread = yes
}
}
}
I added an attribute in my ldap server for each user, yubiKeyId, containing their yubikey ID. At the end, I would like to have the following authentication process:
1) Request from a client specifying the user and the ldappassword concatenated with the Yubico OTP
2) The radius server looks up for the user willing to authenticate
3) The server splits the password received into ldappassword and the yubico OTP
4) The server validates:
- The ldappassword receives with the userPassword from the LDAP server
- The yubico OTP, only if the user possesses the YubiKey
- A user possesses the Yubikey associated with the Yubico OTP if The first part of the yubico OTP and the yubiKeyId attribute from the LDAP server are equal
5) Server sends response
However, to do so, I can't figure out how to split the password sent, validate the first part with ldap and the second part with yubikey and query an attribute from the LDAP server for further checking.
