mynotes

User Tools

Site Tools

Trace: Freeradius and YubiKey
networking:freeradius-yubikey

This is an old revision of the document!

Table of Contents

Freeradius and YubiKey

Register an API key

https://upgrade.yubico.com/getapikey/

Email: srohr1805@gmail.com
Yubikey: <NFC Yubikey used> 

Congratulations!
Please find below your client identity and client API key.

Client ID:	115201
Secret key:	HQM+lDbHpaYs/MJ6vYz6+DG0OTo=
Be sure to protect the secret. If you need to generate more client id/keys for your different applications, please come back.

Note that it may take up until 5 minutes until all validation servers know about your newly generated client.

Update system and install Freeradius & YubiKey plugin

apt update && apt upgrade

apt install freeradius freeradius-yubikey rsyslog vim

Enable Freeradius YubiKey module

cd /etc/freeradius/3.0/mods-enabled/ && ln -s ../mods-available/yubikey

Allow clients to query Freradius

In /etc/freeradius/3.0/clients.conf find client localhost and add a new section above or below this block, describing the host or subnet which is allowed to query the radius server. This is usually the IP address or subnet of the Interface of the firewall.

cat clients.conf | sed -r '/^\s*$/d' | sed -r '/^\s*#/d' 

.
.
.
client localhost {
...

}
.
.
.
client NET-192.168_16 {
        ipaddr          = 192.168.0.0/16
        secret          = Secre7Passw0rd
}

In /etc/freeradius/3.0/radiusd.conf find log { and change destination to syslog and auth to yes. 

...

log {
...
        #destination = files
        destination = syslog
        
        ...
        
        #auth = no
        auth = yes

...
}

...

in sites-enabled/default 

listen {
        type = auth
        limit {
              #srohr
              #idle_timeout = 900
              idle_timeout = 30
        }
}


authorize {
        #srohr - add yubikey section
        yubikey
        if (ok) {
                update control {
                        Auth-Type := yubikey
                }
                pap
        }


        #srohr - enable "auth log"
#       auth_log
        auth_log


        #srohr - disable "pap"
        #pap
        
        
        #srohr - new section in new freerad - TLS. TBC if it needs to be removed
        Autz-Type New-TLS-Connection {
                  ok
        }
}


authenticate {
        #srohr - Add yubikey section
        Auth-Type yubikey {
                yubikey
                update request {
                        User-Password := "%{User-Password}%{Yubikey-Public-ID}"
                }
                pap
        }
}


accounting {

        #srohr - "unix" is activated in OOB but disabled in new freerad config. TBC
        unix or #unix ?????

}


post-auth {
        #srohr - on new freeradius below is configured. Doesn't exist on the OOB freerad. TBC if it needs to be removed or if it can stay
        if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
                update reply {
                        &User-Name !* ANY
                }
        }
        
        if (EAP-Key-Name && &reply:EAP-Session-Id) {
                update reply {
                        &EAP-Key-Name := &reply:EAP-Session-Id
                }
        }
}


post-proxy {

        #srohr - "eap" enabled on old OOB but disabled on new freeradius. TBC if it can be disabled
        eap
}

Change values in /etc/freeradius/3.0/mods-available/yubikey 

yubikey {
	decrypt = no
	validate = yes
	validation {
		servers {
			uri = 'https://api.yubico.com/wsapi/2.0/verify?id=%d&otp=%s'
			uri = 'https://api2.yubico.com/wsapi/2.0/verify?id=%d&otp=%s'
		}
		client_id = 62291
		api_key = 'IE5qoaATSOKBwqCj8d+0Mv6u/OI='
		pool {
			start = ${thread[pool].start_servers}
			min = ${thread[pool].min_spare_servers}
			max = ${thread[pool].max_servers}
			uses = 0
			retry_delay = 30
			lifetime = 0
			idle_timeout = 60
			spread = yes
		}
	}
}

Testing using radtest

Successful: 

radtest -x srohr Cisco123ccccccurvdnlbhdrtkjrihhbikhvklkkgvgftldgkjfd localhost 1812 testing123Sent Access-Request Id 248 from 0.0.0.0:54951 to 127.0.0.1:1812 length 123
	User-Name = "srohr"
	User-Password = "Cisco123ccccccurvdnlbhdrtkjrihhbikhvklkkgvgftldgkjfd"
	NAS-IP-Address = 127.0.1.1
	NAS-Port = 1812
	Message-Authenticator = 0x00
	Cleartext-Password = "Cisco123ccccccurvdnlbhdrtkjrihhbikhvklkkgvgftldgkjfd"
Received Access-Accept Id 248 from 127.0.0.1:1812 to 127.0.0.1:54951 length 38
	Message-Authenticator = 0x53728eccda8d30a6f9a9451136b7c4e6

Unsuccessful: 

radtest -x srohr2 Cisco123ccccccurvdnlvetenvrhgjlcbvrcldegrbdgggfnjtnj localhost 1812 testing123
Sent Access-Request Id 164 from 0.0.0.0:34610 to 127.0.0.1:1812 length 124
	User-Name = "srohr2"
	User-Password = "Cisco123ccccccurvdnlvetenvrhgjlcbvrcldegrbdgggfnjtnj"
	NAS-IP-Address = 127.0.1.1
	NAS-Port = 1812
	Message-Authenticator = 0x00
	Cleartext-Password = "Cisco123ccccccurvdnlvetenvrhgjlcbvrcldegrbdgggfnjtnj"
Received Access-Reject Id 164 from 127.0.0.1:1812 to 127.0.0.1:34610 length 38
	Message-Authenticator = 0x078a3a6275d18b0f41277f9509c96312
(0) -: Expected Access-Accept got Access-Reject

networking/freeradius-yubikey.1760672469.txt.gz · Last modified: 2025/10/17 04:41 by srohr_admin
Except where otherwise noted, content on this wiki is licensed under the following license: CC0 1.0 Universal
CC0 1.0 Universal Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki