Yubico Forum

I need a RADIUS server for a Juniper VPN to authenticate users to. I'd like it to verify username/password with our AD domain, along with using a Yubikey OTP.

It looks like YubiRADIUS might be able to do what I want.

Reading through its documentation, the one thing that confuses me is that it seems to want to keep a copy of user data from the AD in its own LDAP server, rather than live query. Is that the case? Or can it work in a mode where it is live querying an Active Directory?

Thanks,

Kevin

Hello,

YubiRADIUS VA use AD/LDAP for the single factor authentication (i.e username and passowrd). YubiRADIUS import users and groups information from AD/LDAP and there is no password information stored on YubiRADIUS DB. The username and password is getting authenticated with live AD/LDAP for every authentication. For the two factor authentication using YubiRADIUS the credentials like username, password and OTP can be provided. YubiRADIUS then first authenticate OTP with respective OTP validation server and sends username and password to AD/LDAP for authentication.

Hope this helps!

Thanks and best regards,
Samir.

Thanks...I went ahead and set up a YubiRadius server, and it is working as described.

I'm having some trouble with having two units in a synchronization group where if one fails, the other quits working, but that's a different question and in a different thread.

Hello kevbo, what kind of Juniper VPN device are you using and how did you set it up? I'm trying to set up a similar configuration, but then with an LDAP server. I can authenticate against LDAP and YubiRADIUS just fine but I just don't manage to get the Juniper device we're using (an SA2500) to send the right data or to have the YubiRADIUS server understand the data that gets sent. Basically I'm having this issue: http://forums.juniper.net/t5/SSL-VPN/Yu ... rue#M13337
So if I enter the YubiKey OTP as the secondary password it doesn't work. If I prepend that OTP with the LDAP password it works. But maybe I'm overseeing something in the Juniper config or I've simply set it up wrong.

Thanks in advance!

Jeremy

Edit: I've decided to keep it this way, so LDAP password + OTP, as this is apparently the standard way to do it.

Any way you could post some detailed info on how you configured the Juniper SA2500 ?

Hi rmaudsley,

I'm not the original poster however I wrote a guide to getting a Juniper Netscreen SSG-140 working with YubiRadius a few months ago. The SSG-140 uses ScreenOS as its operating system, I'm not sure what the SA2500 uses but in case there is any overlap you might be able to use some of it.

http://www.digitalllama.net/2012/03/net ... -with.html

Regards,
Neal.

Neal...I saw your post before, the SA does not use ScreenOS..

thanks for the input