Yubico Forum :: View topic - deactivate AD Check functionality/OTP Check only

Yubico Forum https://forum.yubico.com/

deactivate AD Check functionality/OTP Check only https://forum.yubico.com/viewtopic.php?f=29&t=1214	Page 1 of 1

Author:	bialowons [ Fri Oct 25, 2013 10:53 am ]
Post subject:	deactivate AD Check functionality/OTP Check only
Hi Together, i just want to know if there is any possibility to deactivate the proxy functionality of the yubiradius. I want to get yubiradius running with Citrix NetScaler Gateway. Plan is to use the yubiradius otp as "first factor" and a the ldap authentication directly to the AD from the netscaler as second factor. At the moment i see only the option to use yubiradius like this: "AD UserPW+otp" firstfactor "AD UserPW" secondfactor The user must input his PW to times. Is there a supported way to use yubiradius and yubikey like other token solutions (for example RSA): Personal PIN+OTP/TokenCode WBR Fabian

Author:	samir [ Wed Oct 30, 2013 7:17 am ]
Post subject:	Re: deactivate AD Proxy functionality
Hello, There is no proxy functionality enabled on the YubiRADIUS VM. You can make YubiRADIUS to validate only OTP as first factor please make changes to the freeradius configuration as per the steps below: 1. ssh to YubiRADIUS VA and follow the steps below # cd /etc/freeradius/sites-available 2. Comment entries in "default" and "inner-tunnel" file: # vim default comment "ldap" from "authorize" section # ldap Comment pap entry as shown below from "authenticate" section: authenticate { Auth-Type PAP { perl # pap } # vim inner-tunnel comment "ldap" from "authorize" section # ldap Comment pap entery as shown below: authenticate { Auth-Type PAP { perl # pap } 3. Restart the freeradius using following command: # /etc/init.d/freeradius restart Hope this helps! Thanks and best regards, Samir.

Author:

bialowons [ Mon Nov 18, 2013 1:13 pm ]

Post subject:

Re: deactivate AD Proxy functionality

samir wrote:

You can make YubiRADIUS to validate only OTP as first factor please make changes to the freeradius configuration as per the steps below:

1. ssh to YubiRADIUS VA and follow the steps below
# cd /etc/freeradius/sites-available

2. Comment entries in "default" and "inner-tunnel" file:
# vim default

comment "ldap" from "authorize" section
# ldap

Comment pap entry as shown below from "authenticate" section:

authenticate {
Auth-Type PAP {
perl
# pap
}

# vim inner-tunnel
comment "ldap" from "authorize" section
# ldap
Comment pap entery as shown below:

authenticate {
Auth-Type PAP {
perl
# pap
}
3. Restart the freeradius using following command:
# /etc/init.d/freeradius restart

Hi samir,

thank you for your answer. I have a problem with your supposed changes. In my "default" and "inner-tunnel" files the "ldap" at "authenticate" is already commented. Also there is no "pap" at Auth-Type PAP:
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
####inner-tunnel:
Auth-Type PAP {
perl
}

#
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
Auth-Type CHAP {
chap
}

#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}

#
# Pluggable Authentication Modules.
# pam

#
# See 'man getpwent' for information on how the 'unix'
# module checks the users password. Note that packets
# containing CHAP-Password attributes CANNOT be authenticated
# against /etc/passwd! See the FAQ for details.
#
# unix

# Uncomment it if you want to use ldap for authentication
#
# Note that this means "check plain-text password against
# the ldap database", which means that EAP won't work,
# as it does not supply a plain-text password.

#
# Allow EAP authentication.

# eap

Auth-Type EAP{
eap
}

perl

}

Is this all i have to change? Attached a screen of my "general config". Needs something to be changed?

Attachments:

File comment: generalConfig

generalConfig.png [ 19.12 KiB | Viewed 3932 times ]

Author:	bialowons [ Mon Nov 18, 2013 1:29 pm ]
Post subject:	Re: deactivate AD Proxy functionality
Whats about this link? http://blog.metasplo.it/2012/05/modifyi ... icate.html The idea seems not bad, but the patch file does not work with 3.6.1. Anyone out here who is able to make it working with 3.6.1? Is this still a working scenario or is this deprecated and is samirs way the one to go? #### Update I used the code above and pasted it manually in the ropverify.php. Now i am able to test "OTP only". Any concerns about this setup?

Page 1 of 1	All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/