Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 10:17 am

All times are UTC + 1 hour




Post new topic Reply to topic  [ 4 posts ] 
Author Message
PostPosted: Fri Oct 25, 2013 10:53 am 
Offline

Joined: Fri Oct 25, 2013 10:46 am
Posts: 4
Hi Together,

i just want to know if there is any possibility to deactivate the proxy functionality of the yubiradius.
I want to get yubiradius running with Citrix NetScaler Gateway.

Plan is to use the yubiradius otp as "first factor" and a the ldap authentication directly to the AD from the netscaler as second factor.

At the moment i see only the option to use yubiradius like this:

"AD UserPW+otp" firstfactor
"AD UserPW" secondfactor

The user must input his PW to times.

Is there a supported way to use yubiradius and yubikey like other token solutions (for example RSA):
Personal PIN+OTP/TokenCode

WBR

Fabian


Last edited by bialowons on Mon Nov 18, 2013 1:46 pm, edited 1 time in total.

Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Wed Oct 30, 2013 7:17 am 
Offline
Yubico Team
Yubico Team

Joined: Mon Feb 22, 2010 9:49 am
Posts: 183
Hello,

There is no proxy functionality enabled on the YubiRADIUS VM.

You can make YubiRADIUS to validate only OTP as first factor please make changes to the freeradius configuration as per the steps below:

1. ssh to YubiRADIUS VA and follow the steps below

# cd /etc/freeradius/sites-available

2. Comment entries in "default" and "inner-tunnel" file:

# vim default

comment "ldap" from "authorize" section
# ldap

Comment pap entry as shown below from "authenticate" section:

authenticate {

Auth-Type PAP {
perl
# pap
}

# vim inner-tunnel

comment "ldap" from "authorize" section
# ldap

Comment pap entery as shown below:

authenticate {

Auth-Type PAP {
perl
# pap
}

3. Restart the freeradius using following command:

# /etc/init.d/freeradius restart


Hope this helps!

Thanks and best regards,
Samir.


Top
 Profile  
Reply with quote  
PostPosted: Mon Nov 18, 2013 1:13 pm 
Offline

Joined: Fri Oct 25, 2013 10:46 am
Posts: 4
samir wrote:
You can make YubiRADIUS to validate only OTP as first factor please make changes to the freeradius configuration as per the steps below:

1. ssh to YubiRADIUS VA and follow the steps below
# cd /etc/freeradius/sites-available

2. Comment entries in "default" and "inner-tunnel" file:
# vim default

comment "ldap" from "authorize" section
# ldap

Comment pap entry as shown below from "authenticate" section:

authenticate {
Auth-Type PAP {
perl
# pap
}

# vim inner-tunnel
comment "ldap" from "authorize" section
# ldap
Comment pap entery as shown below:

authenticate {
Auth-Type PAP {
perl
# pap
}
3. Restart the freeradius using following command:
# /etc/init.d/freeradius restart

Hi samir,

thank you for your answer. I have a problem with your supposed changes. In my "default" and "inner-tunnel" files the "ldap" at "authenticate" is already commented. Also there is no "pap" at Auth-Type PAP:
authenticate {
#
# PAP authentication, when a back-end database listed
# in the 'authorize' section supplies a password. The
# password can be clear-text, or encrypted.
####inner-tunnel:
Auth-Type PAP {
perl
}

#
# Most people want CHAP authentication
# A back-end database listed in the 'authorize' section
# MUST supply a CLEAR TEXT password. Encrypted passwords
# won't work.
Auth-Type CHAP {
chap
}

#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}

#
# Pluggable Authentication Modules.
# pam

#
# See 'man getpwent' for information on how the 'unix'
# module checks the users password. Note that packets
# containing CHAP-Password attributes CANNOT be authenticated
# against /etc/passwd! See the FAQ for details.
#
# unix

# Uncomment it if you want to use ldap for authentication
#
# Note that this means "check plain-text password against
# the ldap database", which means that EAP won't work,
# as it does not supply a plain-text password.

#
# Allow EAP authentication.

# eap

Auth-Type EAP{
eap
}

perl

}

Is this all i have to change? Attached a screen of my "general config". Needs something to be changed?


Attachments:
File comment: generalConfig
generalConfig.png
generalConfig.png [ 19.12 KiB | Viewed 3926 times ]
Top
 Profile  
Reply with quote  
PostPosted: Mon Nov 18, 2013 1:29 pm 
Offline

Joined: Fri Oct 25, 2013 10:46 am
Posts: 4
Whats about this link?
http://blog.metasplo.it/2012/05/modifyi ... icate.html

The idea seems not bad, but the patch file does not work with 3.6.1.
Anyone out here who is able to make it working with 3.6.1?

Is this still a working scenario or is this deprecated and is samirs way the one to go?

#### Update
I used the code above and pasted it manually in the ropverify.php. Now i am able to test "OTP only".
Any concerns about this setup?


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group