https://upgrade.yubico.com/getapikey/

Email: srohr1805@gmail.com
Yubikey: <NFC Yubikey used>

Congratulations!
Please find below your client identity and client API key.

Client ID:	115201
Secret key:	HQM+lDbHpaYs/MJ6vYz6+DG0OTo=
Be sure to protect the secret. If you need to generate more client id/keys for your different applications, please come back.

Note that it may take up until 5 minutes until all validation servers know about your newly generated client.

apt update && apt upgrade

apt install freeradius freeradius-yubikey rsyslog vim

cd /etc/freeradius/3.0/mods-enabled/ && ln -s ../mods-available/yubikey

In /etc/freeradius/3.0/clients.conf find client localhost and add a new section above or below this block, describing the host or subnet which is allowed to query the radius server. This is usually the IP address or subnet of the Interface of the firewall.

.
.
.
client localhost {
...

}
.
.
.
client NET-192.168_16 {
        ipaddr          = 192.168.0.0/16
        secret          = Secre7Passw0rd
}

In /etc/freeradius/3.0/radiusd.conf find log { and change destination to syslog and auth to yes.

...

log {
...
        #destination = files
        destination = syslog
        
        ...
        
        #auth = no
        auth = yes

...
}

...

in sites-enabled/default

listen {
        type = auth
        limit {
              #srohr
              #idle_timeout = 900
              idle_timeout = 30
        }
}


authorize {
        #srohr - add yubikey section
        yubikey
        if (ok) {
                update control {
                        Auth-Type := yubikey
                }
                pap
        }


        #srohr - enable "auth log"
#       auth_log
        auth_log


        #srohr - disable "pap"
        #pap
        
        
        #srohr - new section in new freerad - TLS. TBC if it needs to be removed
        Autz-Type New-TLS-Connection {
                  ok
        }
}


authenticate {
        #srohr - Add yubikey section
        Auth-Type yubikey {
                yubikey
                update request {
                        User-Password := "%{User-Password}%{Yubikey-Public-ID}"
                }
                pap
        }
}


accounting {

        #srohr - "unix" is activated in OOB but disabled in new freerad config. TBC
        unix or #unix ?????

}


post-auth {
        #srohr - on new freeradius below is configured. Doesn't exist on the OOB freerad. TBC if it needs to be removed or if it can stay
        if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
                update reply {
                        &User-Name !* ANY
                }
        }
        
        if (EAP-Key-Name && &reply:EAP-Session-Id) {
                update reply {
                        &EAP-Key-Name := &reply:EAP-Session-Id
                }
        }
}


post-proxy {

        #srohr - "eap" enabled on old OOB but disabled on new freeradius. TBC if it can be disabled
        eap
}

Change values in /etc/freeradius/3.0/mods-available/yubikey

yubikey {
	decrypt = no
	validate = yes
	validation {
		servers {
			uri = 'https://api.yubico.com/wsapi/2.0/verify?id=%d&otp=%s'
			uri = 'https://api2.yubico.com/wsapi/2.0/verify?id=%d&otp=%s'
		}
		client_id = 62291
		api_key = 'IE5qoaATSOKBwqCj8d+0Mv6u/OI='
		pool {
			start = ${thread[pool].start_servers}
			min = ${thread[pool].min_spare_servers}
			max = ${thread[pool].max_servers}
			uses = 0
			retry_delay = 30
			lifetime = 0
			idle_timeout = 60
			spread = yes
		}
	}
}