Differences

This shows you the differences between two versions of the page.

--- networking:freeradius-yubikey [2025/10/04 17:03] – srohr_admin
+++ networking:freeradius-yubikey [2025/10/17 04:45] (current) – [Testing using radtest] srohr_admin
@@ Line 27: / Line 27: @@
 apt install freeradius freeradius-yubikey rsyslog vim
 </code>
+===== Enable Freeradius YubiKey module =====
+cd /etc/freeradius/3.0/mods-enabled/ && ln -s ../mods-available/yubikey
 ===== Allow clients to query Freradius =====
-In **///etc/freeradius/3.0/clients.conf//** find //client localhost// and add a new section above, describing the host or subnet which is allowed to query the radius server. This is usually the IP address or subnet of the Interface of the firewall.
+In **///etc/freeradius/3.0/clients.conf//** find //client localhost// and add a new section above or below this block, describing the host or subnet which is allowed to query the radius server. This is usually the IP address or subnet of the Interface of the firewall.
+\\
+cat clients.conf | sed -r '/^\s*$/d' | sed -r '/^\s*#/d'
 <code>
+.
+.
+.
+client localhost {
+...
+}
+.
+.
+.
 client NET-192.168_16 {
         ipaddr          = 192.168.0.0/16
@@ Line 38: / Line 59: @@
 }
-client localhost {
+</code>
+In **///etc/freeradius/3.0/radiusd.conf//** find //log {// and change destination to syslog and auth to yes.
+<code>
 ...
+log {
+...
+        #destination = files
+        destination = syslog
+        ...
+        #auth = no
+        auth = yes
+...
+}
+...
+</code>
+in sites-enabled/default
 <code>
+listen {
+        type = auth
+        limit {
+              #srohr
+              #idle_timeout = 900
+              idle_timeout = 30
+        }
+}
+authorize {
+        #srohr - add yubikey section
+        yubikey
+        if (ok) {
+                update control {
+                        Auth-Type := yubikey
+                }
+                pap
+        }
+        #srohr - enable "auth log"
+#       auth_log
+        auth_log
+        #srohr - disable "pap"
+        #pap
+        #srohr - new section in new freerad - TLS. TBC if it needs to be removed
+        Autz-Type New-TLS-Connection {
+                  ok
+        }
+}
+authenticate {
+        #srohr - Add yubikey section
+        Auth-Type yubikey {
+                yubikey
+                update request {
+                        User-Password := "%{User-Password}%{Yubikey-Public-ID}"
+                }
+                pap
+        }
+}
+accounting {
+        #srohr - "unix" is activated in OOB but disabled in new freerad config. TBC
+        unix or #unix ?????
+}
+post-auth {
+        #srohr - on new freeradius below is configured. Doesn't exist on the OOB freerad. TBC if it needs to be removed or if it can stay
+        if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
+                update reply {
+                        &User-Name !* ANY
+                }
+        }
+        if (EAP-Key-Name && &reply:EAP-Session-Id) {
+                update reply {
+                        &EAP-Key-Name := &reply:EAP-Session-Id
+                }
+        }
+}
+post-proxy {
+        #srohr - "eap" enabled on old OOB but disabled on new freeradius. TBC if it can be disabled
+        eap
+}
+</code>
+Change values in /etc/freeradius/3.0/mods-available/yubikey
+<code>
+yubikey {
+	decrypt = no
+	validate = yes
+	validation {
+		servers {
+			uri = 'https://api.yubico.com/wsapi/2.0/verify?id=%d&otp=%s'
+			uri = 'https://api2.yubico.com/wsapi/2.0/verify?id=%d&otp=%s'
+		}
+		client_id = 62291
+		api_key = 'IE5qoaATSOKBwqCj8d+0Mv6u/OI='
+		pool {
+			start = ${thread[pool].start_servers}
+			min = ${thread[pool].min_spare_servers}
+			max = ${thread[pool].max_servers}
+			uses = 0
+			retry_delay = 30
+			lifetime = 0
+			idle_timeout = 60
+			spread = yes
+		}
+	}
+}
+</code>
+===== Testing using radtest =====
+Successful:
+<code>
+radtest -x srohr Cisco123ccccccurvdnlbhdrtkjrihhbikhvklkkgvgftldgkjfd localhost 1812 testing123
+Sent Access-Request Id 248 from 0.0.0.0:54951 to 127.0.0.1:1812 length 123
+	User-Name = "srohr"
+	User-Password = "Cisco123ccccccurvdnlbhdrtkjrihhbikhvklkkgvgftldgkjfd"
+	NAS-IP-Address = 127.0.1.1
+	NAS-Port = 1812
+	Message-Authenticator = 0x00
+	Cleartext-Password = "Cisco123ccccccurvdnlbhdrtkjrihhbikhvklkkgvgftldgkjfd"
+Received Access-Accept Id 248 from 127.0.0.1:1812 to 127.0.0.1:54951 length 38
+	Message-Authenticator = 0x53728eccda8d30a6f9a9451136b7c4e6
+</code>
+Unsuccessful:
+<code>
+radtest -x srohr2 Cisco123ccccccurvdnlvetenvrhgjlcbvrcldegrbdgggfnjtnj localhost 1812 testing123
+Sent Access-Request Id 164 from 0.0.0.0:34610 to 127.0.0.1:1812 length 124
+	User-Name = "srohr2"
+	User-Password = "Cisco123ccccccurvdnlvetenvrhgjlcbvrcldegrbdgggfnjtnj"
+	NAS-IP-Address = 127.0.1.1
+	NAS-Port = 1812
+	Message-Authenticator = 0x00
+	Cleartext-Password = "Cisco123ccccccurvdnlvetenvrhgjlcbvrcldegrbdgggfnjtnj"
+Received Access-Reject Id 164 from 127.0.0.1:1812 to 127.0.0.1:34610 length 38
+	Message-Authenticator = 0x078a3a6275d18b0f41277f9509c96312
+(0) -: Expected Access-Accept got Access-Reject
+</code>
+shows config without empty lines and removes lines starting with '#'
+<code>
+cat sites-enabled/default | sed -r '/^\s*$/d' | sed -r '/^\s*#/d'
+</code>