Yubico Forum
https://forum.yubico.com/

deactivate AD Check functionality/OTP Check only
https://forum.yubico.com/viewtopic.php?f=29&t=1214
Page 1 of 1

Author:  bialowons [ Fri Oct 25, 2013 10:53 am ]
Post subject:  deactivate AD Check functionality/OTP Check only

Hi Together,

i just want to know if there is any possibility to deactivate the proxy functionality of the yubiradius.
I want to get yubiradius running with Citrix NetScaler Gateway.

Plan is to use the yubiradius otp as "first factor" and a the ldap authentication directly to the AD from the netscaler as second factor.

At the moment i see only the option to use yubiradius like this:

"AD UserPW+otp" firstfactor
"AD UserPW" secondfactor

The user must input his PW to times.

Is there a supported way to use yubiradius and yubikey like other token solutions (for example RSA):
Personal PIN+OTP/TokenCode

WBR

Fabian

Author:  samir [ Wed Oct 30, 2013 7:17 am ]
Post subject:  Re: deactivate AD Proxy functionality

Hello,

There is no proxy functionality enabled on the YubiRADIUS VM.

You can make YubiRADIUS to validate only OTP as first factor please make changes to the freeradius configuration as per the steps below:

1. ssh to YubiRADIUS VA and follow the steps below

# cd /etc/freeradius/sites-available

2. Comment entries in "default" and "inner-tunnel" file:

# vim default

comment "ldap" from "authorize" section
# ldap

Comment pap entry as shown below from "authenticate" section:

authenticate {

Auth-Type PAP {
perl
# pap
}

# vim inner-tunnel

comment "ldap" from "authorize" section
# ldap

Comment pap entery as shown below:

authenticate {

Auth-Type PAP {
perl
# pap
}

3. Restart the freeradius using following command:

# /etc/init.d/freeradius restart


Hope this helps!

Thanks and best regards,
Samir.

Author:  bialowons [ Mon Nov 18, 2013 1:13 pm ]
Post subject:  Re: deactivate AD Proxy functionality

samir wrote:
You can make YubiRADIUS to validate only OTP as first factor please make changes to the freeradius configuration as per the steps below:

1. ssh to YubiRADIUS VA and follow the steps below
# cd /etc/freeradius/sites-available

2. Comment entries in "default" and "inner-tunnel" file:
# vim default

comment "ldap" from "authorize" section
# ldap

Comment pap entry as shown below from "authenticate" section:

authenticate {
Auth-Type PAP {
perl
# pap
}

# vim inner-tunnel
comment "ldap" from "authorize" section
# ldap
Comment pap entery as shown below:

authenticate {
Auth-Type PAP {
perl
# pap
}
3. Restart the freeradius using following command:
# /etc/init.d/freeradius restart

Hi samir,

thank you for your answer. I have a problem with your supposed changes. In my "default" and "inner-tunnel" files the "ldap" at "authenticate" is already commented. Also there is no "pap" at Auth-Type PAP:
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
####inner-tunnel:
Auth-Type PAP {
perl
}

#
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
Auth-Type CHAP {
chap
}

#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}

#
# Pluggable Authentication Modules.
# pam

#
# See 'man getpwent' for information on how the 'unix'
# module checks the users password. Note that packets
# containing CHAP-Password attributes CANNOT be authenticated
# against /etc/passwd! See the FAQ for details.
#
# unix

# Uncomment it if you want to use ldap for authentication
#
# Note that this means "check plain-text password against
# the ldap database", which means that EAP won't work,
# as it does not supply a plain-text password.

#
# Allow EAP authentication.

# eap

Auth-Type EAP{
eap
}

perl

}

Is this all i have to change? Attached a screen of my "general config". Needs something to be changed?

Attachments:
File comment: generalConfig
generalConfig.png
generalConfig.png [ 19.12 KiB | Viewed 3932 times ]

Author:  bialowons [ Mon Nov 18, 2013 1:29 pm ]
Post subject:  Re: deactivate AD Proxy functionality

Whats about this link?
http://blog.metasplo.it/2012/05/modifyi ... icate.html

The idea seems not bad, but the patch file does not work with 3.6.1.
Anyone out here who is able to make it working with 3.6.1?

Is this still a working scenario or is this deprecated and is samirs way the one to go?

#### Update
I used the code above and pasted it manually in the ropverify.php. Now i am able to test "OTP only".
Any concerns about this setup?

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/