Yubico Forum :: View topic - Working 2-factor-authentication with Cisco ASA (IPSec, SSL)

# cat /etc/pam.d/radiusd
#%PAM-1.0
auth required /usr/local/lib/security/pam_yubico.so authfile=/etc/raddb/yubikey.map id=16 debug
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session include system-auth

1. Edit the radiusd configuration file “/etc/raddb/radiusd.conf” to make following changes:
* Change user and group to “root” to provide the root privileges to radiusd demon so that it can call and use pam modules for authentication. NOTE: Generally, it is not a good security practice to assign root privileges to a user for a demon. However, since use of PAM requires root privileges, this is a mandatory step here.
* In “authenticate” section uncomment pam to direct radiusd demon to use pam module for authentication
2. Edit the client configuration file “/etc/raddb/clients.conf” to add sample client for testing
3. Edit the user configuration file “/etc/raddb/users” to make following change:
* Change "DEFAULT Auth-Type = System" to "DEFAULT Auth-Type = pam" for using pam modules for user authentication

Author:	mlindgren [ Mon Aug 10, 2009 9:18 pm ]
Post subject:	Working 2-factor-authentication with Cisco ASA (IPSec, SSL)
I configured 2 factor authentication using the Yubikey and a system password to authenticate against a Cisco VPN. FWIW, here's a quick run-down of the settings I used. I have an ASA 5505 running 8.2.1 and am using a Fedora Core 8 box to authenticate against. Code: # cat /etc/pam.d/radiusd #%PAM-1.0 auth required /usr/local/lib/security/pam_yubico.so authfile=/etc/raddb/yubikey.map id=16 debug auth include system-auth account required pam_nologin.so account include system-auth password include system-auth session include system-auth Code: # cat /etc/raddb/yubikey.map mlindgren:abcdefgkijkl [use the first twelve characters of your yubikey's OTP] For /etc/raddb/radiusd.conf and users, I used the settings from the how-to: Quote: 1. Edit the radiusd configuration file “/etc/raddb/radiusd.conf” to make following changes: * Change user and group to “root” to provide the root privileges to radiusd demon so that it can call and use pam modules for authentication. NOTE: Generally, it is not a good security practice to assign root privileges to a user for a demon. However, since use of PAM requires root privileges, this is a mandatory step here. * In “authenticate” section uncomment pam to direct radiusd demon to use pam module for authentication 2. Edit the client configuration file “/etc/raddb/clients.conf” to add sample client for testing 3. Edit the user configuration file “/etc/raddb/users” to make following change: * Change "DEFAULT Auth-Type = System" to "DEFAULT Auth-Type = pam" for using pam modules for user authentication I also added the following section at the bottom of clients.conf Code: client x.x.x.x { secret = somepassword shortname = ASA } Over on the ASA: Code: aaa-server TEST protocol radius aaa-server TEST (inside) host x.x.x.x key somepassword authentication-port 1812 accounting-port 1813 ! The last thing I had to do was disable iptables, or add a firewall rule for freeradius, I decided to disable iptables Code: #/etc/init.d/iptables stop Didn't specifically see this posted anywhere, so I thought I'd contribute. We are thinking about implementing this at our company for our remote users. Regards, Mattias EDIT: feel free to move the post to a different board, I realize now this may not be the right area to post in.

Yubico Forum https://forum.yubico.com/

Working 2-factor-authentication with Cisco ASA (IPSec, SSL) https://forum.yubico.com/viewtopic.php?f=5&t=377	Page 1 of 1

Page 1 of 1	All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/