Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 4:56 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 1 post ] 
Author Message
PostPosted: Mon Aug 10, 2009 9:18 pm 
Offline

Joined: Sat Aug 08, 2009 2:36 am
Posts: 1
I configured 2 factor authentication using the Yubikey and a system password to authenticate against a Cisco VPN. FWIW, here's a quick run-down of the settings I used. I have an ASA 5505 running 8.2.1 and am using a Fedora Core 8 box to authenticate against.

Code:
# cat /etc/pam.d/radiusd
#%PAM-1.0
auth required /usr/local/lib/security/pam_yubico.so authfile=/etc/raddb/yubikey.map id=16 debug
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session include system-auth

Code:
# cat /etc/raddb/yubikey.map
mlindgren:abcdefgkijkl [use the first twelve characters of your yubikey's OTP]


For /etc/raddb/radiusd.conf and users, I used the settings from the how-to:
Quote:
1. Edit the radiusd configuration file “/etc/raddb/radiusd.conf” to make following changes:
* Change user and group to “root” to provide the root privileges to radiusd demon so that it can call and use pam modules for authentication. NOTE: Generally, it is not a good security practice to assign root privileges to a user for a demon. However, since use of PAM requires root privileges, this is a mandatory step here.
* In “authenticate” section uncomment pam to direct radiusd demon to use pam module for authentication
2. Edit the client configuration file “/etc/raddb/clients.conf” to add sample client for testing
3. Edit the user configuration file “/etc/raddb/users” to make following change:
* Change "DEFAULT Auth-Type = System" to "DEFAULT Auth-Type = pam" for using pam modules for user authentication

I also added the following section at the bottom of clients.conf
Code:
client x.x.x.x {
        secret = somepassword
        shortname = ASA
}


Over on the ASA:
Code:
aaa-server TEST protocol radius
aaa-server TEST (inside) host x.x.x.x
key somepassword
 authentication-port 1812
 accounting-port 1813
!


The last thing I had to do was disable iptables, or add a firewall rule for freeradius, I decided to disable iptables
Code:
#/etc/init.d/iptables stop


Didn't specifically see this posted anywhere, so I thought I'd contribute. We are thinking about implementing this at our company for our remote users.

Regards,

Mattias

EDIT: feel free to move the post to a different board, I realize now this may not be the right area to post in.


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 1 post ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group