====== Freeradius and YubiKey  ======


===== Register an API key =====

[[https://upgrade.yubico.com/getapikey/]]

**Email: srohr1805@gmail.com\\
Yubikey: <NFC Yubikey used>
**
<code>
Congratulations!
Please find below your client identity and client API key.

Client ID:	115201
Secret key:	HQM+lDbHpaYs/MJ6vYz6+DG0OTo=
Be sure to protect the secret. If you need to generate more client id/keys for your different applications, please come back.

Note that it may take up until 5 minutes until all validation servers know about your newly generated client.
</code>

===== Update system and install Freeradius & YubiKey plugin =====

<code>
apt update && apt upgrade

apt install freeradius freeradius-yubikey rsyslog vim
</code>


===== Enable Freeradius YubiKey module =====


cd /etc/freeradius/3.0/mods-enabled/ && ln -s ../mods-available/yubikey 



===== Allow clients to query Freradius =====

In **///etc/freeradius/3.0/clients.conf//** find //client localhost// and add a new section above or below this block, describing the host or subnet which is allowed to query the radius server. This is usually the IP address or subnet of the Interface of the firewall.
\\

cat clients.conf | sed -r '/^\s*$/d' | sed -r '/^\s*#/d'

<code>
.
.
.
client localhost {
...

}
.
.
.
client NET-192.168_16 {
        ipaddr          = 192.168.0.0/16
        secret          = Secre7Passw0rd
}


</code>


In **///etc/freeradius/3.0/radiusd.conf//** find //log {// and change destination to syslog and auth to yes.

<code>
...

log {
...
        #destination = files
        destination = syslog
        
        ...
        
        #auth = no
        auth = yes

...
}

...

</code>


in sites-enabled/default

<code>

listen {
        type = auth
        limit {
              #srohr
              #idle_timeout = 900
              idle_timeout = 30
        }
}


authorize {
        #srohr - add yubikey section
        yubikey
        if (ok) {
                update control {
                        Auth-Type := yubikey
                }
                pap
        }


        #srohr - enable "auth log"
#       auth_log
        auth_log


        #srohr - disable "pap"
        #pap
        
        
        #srohr - new section in new freerad - TLS. TBC if it needs to be removed
        Autz-Type New-TLS-Connection {
                  ok
        }
}


authenticate {
        #srohr - Add yubikey section
        Auth-Type yubikey {
                yubikey
                update request {
                        User-Password := "%{User-Password}%{Yubikey-Public-ID}"
                }
                pap
        }
}


accounting {

        #srohr - "unix" is activated in OOB but disabled in new freerad config. TBC
        unix or #unix ?????

}


post-auth {
        #srohr - on new freeradius below is configured. Doesn't exist on the OOB freerad. TBC if it needs to be removed or if it can stay
        if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
                update reply {
                        &User-Name !* ANY
                }
        }
        
        if (EAP-Key-Name && &reply:EAP-Session-Id) {
                update reply {
                        &EAP-Key-Name := &reply:EAP-Session-Id
                }
        }
}


post-proxy {

        #srohr - "eap" enabled on old OOB but disabled on new freeradius. TBC if it can be disabled
        eap
}

</code>


Change values in /etc/freeradius/3.0/mods-available/yubikey

<code>
yubikey {
	decrypt = no
	validate = yes
	validation {
		servers {
			uri = 'https://api.yubico.com/wsapi/2.0/verify?id=%d&otp=%s'
			uri = 'https://api2.yubico.com/wsapi/2.0/verify?id=%d&otp=%s'
		}
		client_id = 62291
		api_key = 'IE5qoaATSOKBwqCj8d+0Mv6u/OI='
		pool {
			start = ${thread[pool].start_servers}
			min = ${thread[pool].min_spare_servers}
			max = ${thread[pool].max_servers}
			uses = 0
			retry_delay = 30
			lifetime = 0
			idle_timeout = 60
			spread = yes
		}
	}
}
</code>

===== Testing using radtest =====

Successful: 

<code>
radtest -x srohr Cisco123ccccccurvdnlbhdrtkjrihhbikhvklkkgvgftldgkjfd localhost 1812 testing123
Sent Access-Request Id 248 from 0.0.0.0:54951 to 127.0.0.1:1812 length 123
	User-Name = "srohr"
	User-Password = "Cisco123ccccccurvdnlbhdrtkjrihhbikhvklkkgvgftldgkjfd"
	NAS-IP-Address = 127.0.1.1
	NAS-Port = 1812
	Message-Authenticator = 0x00
	Cleartext-Password = "Cisco123ccccccurvdnlbhdrtkjrihhbikhvklkkgvgftldgkjfd"
Received Access-Accept Id 248 from 127.0.0.1:1812 to 127.0.0.1:54951 length 38
	Message-Authenticator = 0x53728eccda8d30a6f9a9451136b7c4e6
</code>

Unsuccessful:

<code>
radtest -x srohr2 Cisco123ccccccurvdnlvetenvrhgjlcbvrcldegrbdgggfnjtnj localhost 1812 testing123
Sent Access-Request Id 164 from 0.0.0.0:34610 to 127.0.0.1:1812 length 124
	User-Name = "srohr2"
	User-Password = "Cisco123ccccccurvdnlvetenvrhgjlcbvrcldegrbdgggfnjtnj"
	NAS-IP-Address = 127.0.1.1
	NAS-Port = 1812
	Message-Authenticator = 0x00
	Cleartext-Password = "Cisco123ccccccurvdnlvetenvrhgjlcbvrcldegrbdgggfnjtnj"
Received Access-Reject Id 164 from 127.0.0.1:1812 to 127.0.0.1:34610 length 38
	Message-Authenticator = 0x078a3a6275d18b0f41277f9509c96312
(0) -: Expected Access-Accept got Access-Reject
</code>

shows config without empty lines and removes lines starting with '#'

<code>
cat sites-enabled/default | sed -r '/^\s*$/d' | sed -r '/^\s*#/d'
</code>