Yubico Forum

Allowing YubiRADIUS auth without having a Yubikey
Page 1 of 1

Author:  lurch89 [ Thu Oct 18, 2012 1:07 am ]
Post subject:  Allowing YubiRADIUS auth without having a Yubikey

I've been searching for a solution, and I will admit I'm not very good with FreeRADIUS (yet...). I set up the YubiRADIUS VA successfully, and am able to authenticate via RADIUS with an Apache page. I want to implement this for a large group of users, but I am not able to purchase Yubikeys for everyone. I would like to have the Yubikey authorization to be toggle-able for a user.

For example:

User1 is a system administrator. Their account has access to sensitive information. User2 is a standard user, which has access to only non-sensitive systems and data. Assume Active Directory.

User1 has a Yubikey assigned to them. They will always need to use their Yubikey when they want to log in (appended to their password).
User2 does not have a Yubikey. They should be able to use their username and password, without a Yubikey.

Both authorizations would be done against the same RADIUS server. Even better would be to do this with groups (members of a certain group require Yubikeys).

Is there any way to get this going? I know the ideal solution is to give everyone a Yubikey, but that is not practical for my application.

-Andrew, lurch89

Author:  hvbuel [ Fri Dec 07, 2012 9:10 am ]
Post subject:  Re: Allowing YubiRADIUS auth without having a Yubikey

You can assign a temporary fixed code to user2.
Inform user2 about the code and user2 can then login using his normal credentials and use the temporary code in the yubikey field.
Temporary codes can be set from the yubiradius management page.

We use this if someone has lost his yubikey and needs access to our Citrix farm.
We then set the temp. code to be valid for only 2 or 3 days, the time it takes for the new yubikey to reach him.

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group