https://upgrade.yubico.com/getapikey/
Email: srohr1805@gmail.com
Yubikey: <NFC Yubikey used>
Congratulations!
Please find below your client identity and client API key.
Client ID: 115201
Secret key: HQM+lDbHpaYs/MJ6vYz6+DG0OTo=
Be sure to protect the secret. If you need to generate more client id/keys for your different applications, please come back.
Note that it may take up until 5 minutes until all validation servers know about your newly generated client.
apt update && apt upgrade
apt install freeradius freeradius-yubikey rsyslog vim
cd /etc/freeradius/3.0/mods-enabled/ && ln -s ../mods-available/yubikey
In /etc/freeradius/3.0/clients.conf find client localhost and add a new section above or below this block, describing the host or subnet which is allowed to query the radius server. This is usually the IP address or subnet of the Interface of the firewall.
cat clients.conf | sed -r '/^\s*$/d' | sed -r '/^\s*#/d'
.
.
.
client localhost {
...
}
.
.
.
client NET-192.168_16 {
ipaddr = 192.168.0.0/16
secret = Secre7Passw0rd
}
In /etc/freeradius/3.0/radiusd.conf find log { and change destination to syslog and auth to yes.
...
log {
...
#destination = files
destination = syslog
...
#auth = no
auth = yes
...
}
...
in sites-enabled/default
listen {
type = auth
limit {
#srohr
#idle_timeout = 900
idle_timeout = 30
}
}
authorize {
#srohr - add yubikey section
yubikey
if (ok) {
update control {
Auth-Type := yubikey
}
pap
}
#srohr - enable "auth log"
# auth_log
auth_log
#srohr - disable "pap"
#pap
#srohr - new section in new freerad - TLS. TBC if it needs to be removed
Autz-Type New-TLS-Connection {
ok
}
}
authenticate {
#srohr - Add yubikey section
Auth-Type yubikey {
yubikey
update request {
User-Password := "%{User-Password}%{Yubikey-Public-ID}"
}
pap
}
}
accounting {
#srohr - "unix" is activated in OOB but disabled in new freerad config. TBC
unix or #unix ?????
}
post-auth {
#srohr - on new freeradius below is configured. Doesn't exist on the OOB freerad. TBC if it needs to be removed or if it can stay
if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
update reply {
&User-Name !* ANY
}
}
if (EAP-Key-Name && &reply:EAP-Session-Id) {
update reply {
&EAP-Key-Name := &reply:EAP-Session-Id
}
}
}
post-proxy {
#srohr - "eap" enabled on old OOB but disabled on new freeradius. TBC if it can be disabled
eap
}
Change values in /etc/freeradius/3.0/mods-available/yubikey
yubikey {
decrypt = no
validate = yes
validation {
servers {
uri = 'https://api.yubico.com/wsapi/2.0/verify?id=%d&otp=%s'
uri = 'https://api2.yubico.com/wsapi/2.0/verify?id=%d&otp=%s'
}
client_id = 62291
api_key = 'IE5qoaATSOKBwqCj8d+0Mv6u/OI='
pool {
start = ${thread[pool].start_servers}
min = ${thread[pool].min_spare_servers}
max = ${thread[pool].max_servers}
uses = 0
retry_delay = 30
lifetime = 0
idle_timeout = 60
spread = yes
}
}
}
Successful:
radtest -x srohr Cisco123ccccccurvdnlbhdrtkjrihhbikhvklkkgvgftldgkjfd localhost 1812 testing123
Sent Access-Request Id 248 from 0.0.0.0:54951 to 127.0.0.1:1812 length 123
User-Name = "srohr"
User-Password = "Cisco123ccccccurvdnlbhdrtkjrihhbikhvklkkgvgftldgkjfd"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
Message-Authenticator = 0x00
Cleartext-Password = "Cisco123ccccccurvdnlbhdrtkjrihhbikhvklkkgvgftldgkjfd"
Received Access-Accept Id 248 from 127.0.0.1:1812 to 127.0.0.1:54951 length 38
Message-Authenticator = 0x53728eccda8d30a6f9a9451136b7c4e6
Unsuccessful:
radtest -x srohr2 Cisco123ccccccurvdnlvetenvrhgjlcbvrcldegrbdgggfnjtnj localhost 1812 testing123
Sent Access-Request Id 164 from 0.0.0.0:34610 to 127.0.0.1:1812 length 124
User-Name = "srohr2"
User-Password = "Cisco123ccccccurvdnlvetenvrhgjlcbvrcldegrbdgggfnjtnj"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
Message-Authenticator = 0x00
Cleartext-Password = "Cisco123ccccccurvdnlvetenvrhgjlcbvrcldegrbdgggfnjtnj"
Received Access-Reject Id 164 from 127.0.0.1:1812 to 127.0.0.1:34610 length 38
Message-Authenticator = 0x078a3a6275d18b0f41277f9509c96312
(0) -: Expected Access-Accept got Access-Reject
shows config without empty lines and removes lines starting with '#'
cat sites-enabled/default | sed -r '/^\s*$/d' | sed -r '/^\s*#/d'