YubiRadius integration with group-validated FreeIPA Users using LDAPS

This article will show you how to set up the YubiRadius Virtual Appliance (v. 3.5.1) for User validation against a FreeIPA infrastructure on Red Hat Enterprise Linux 6.3.

You can obtain the YubiRadius Virtual Appliance from the good people over at Yubico, or just click here

This guide is not meant to show you how to configure a virtual appliance in your choice of Virtualization technology, although as I am using KVM, a special thanks to Gavin Spurgeon for getting this VA converted and working smoothly (even with virtio for the icing on the cake).

For details in configuring the Virtual Appliance you can reference the Yubico’s provided documentation here if you wish.

Now, before we begin, the details for the purpose of this article are as follows.

IPA server: ds01.example.com (10.0.1.11)

YubiRadius VA: yubiradius01.example.com (10.0.1.31)

Group to be used for validation: “yubikey”

YubiRadius LDAP Bind Account: “yubiradius”

Example Users: euser1, euser2, euser3, euser4, euser5

 

Step 1. Create our Group to be used for user validation

On your FreeIPA server, run the following:

[root@ds01 ~]# ipa group-add
Group name: yubikey
Description: YubiKey validation group
---------------------
Added group "yubikey"
---------------------
Group name: yubikey
Description: YubiKey validation group
GID: 1870200005
[root@ds01 ~]#

Step 2. Add users to your new group.

As I have already created my users, I will add them to the group I have just created.

[root@ds01 ~]# ipa group-add-member yubikey
[member user]: euser1,euser2,euser3,euser4,euser5
[member group]:
Group name: yubikey
Description: YubiKey validation group
GID: 1870200005
Member users: euser1, euser2, euser3, euser4, euser5
-------------------------
Number of members added 5
-------------------------
[root@ds01 ~]#

Step 3,  Create an LDAP bind account.

Create a text file called “yubiradius.ldif” with the following content.

Be sure to change the password to something secure. In this example I have used “redhat123”

dn: uid=yubiradius,cn=sysaccounts,cn=etc,dc=example,dc=com
changetype: add
objectclass: account
objectclass: simplesecurityobject
uid: yubiradius
userPassword: redhat123
passwordExpirationTime: 20380119031407Z
nsIdleTimeout: 0

Now, import yubiradius.ldif into FreeIPA. You will need to enter your Directory Manager password, as you are making additions to LDAP.

[root@ds01 ~]# ldapmodify -h ds01.example.com -p 389 -x -D "cn=Directory Manager" -W -f yubiradius.ldif
Enter LDAP Password:
adding new entry "uid=yubiradius,cn=sysaccounts,cn=etc,dc=example,dc=com"

[root@ds01 ~]#

Step 4. Add your YubiRadius server’s hostname to our DNS environment. If you are using IPA to manage your DNS, do the following.

[root@ds01 ~]# ipa dnsrecord-add example.com yubiradius01 --a-rec 10.0.1.31
Record name: yubiradius01
A record: 10.0.1.31

[root@ds01 ~]# ipa dnsrecord-add 1.0.10.in-addr.arpa. 31 --ptr-rec  yubiradius01.example.com.
Record name: 31
PTR record: yubiradius01.example.com.
[root@ds01 ~]#

Step 5. Start to configure your YubiRadius through the webmin management page. Start by logging into your Yubiradius.

Browse to https://<hostname or ip of yubiradius>:10000

Log in with these details

Username: yubikey

Password: yubico

See attached screen shot

 

Step 6. Create a domain.

The first page you will be presented with, will be the Domain page, before continuing, enter your domain name and click the “Add Domain” button.

In my example, it is “example.com”

 

Step 7. Import Users from FreeIPA

Once you have created your domain, it will appear in the Domains list. Click your domain to enter the configuration.

You will see there is currently no users configured. Click on the “Users Import” tab to continue.

Use the following details to configure your User Import. You will notice I am using Secure LDAP lookups. This stops the usernames and passwords from being transmitted in clear text. I HIGHLY recommend you do the same.

 

Use Secure Connection?  = Yes

LDAP/AD Server Address or Host Name = ds01.example.com

Backup LDAP/AD Server Address or Host Name = (leave blank)

Port (use 0 or blank to use the default port) = 636

Directory Type  = OpenLDAP

LDAP Version = 3

Base DN = cn=users,cn=accounts,dc=example,dc=com

User DN = uid=yubiradius,cn=sysaccounts,cn=etc,dc=example,dc=com

Password = redhat123

Schedule = Hourly

Timeout (Seconds) = 0

Filter = (memberOf=cn=yubikey,cn=groups,cn=accounts,dc=example,dc=com)

Notes = Blank

Login Name Identifier = uid

Once you have filled in all the relevant details. Click the “save” button. Once you have saved your configuration. Click the “Import Users” button.

You will be presented with a window that should look as follows. If you receive an error, you may have made an error in your configuration in this step. You will want to go back to double check.

See attached screen shot

Once this has completed, click “Return to previous page”, and then click the “Users/Groups” tab at the top.

 

Step 8. Assign Yubikey(s) to your User(s)

You should now see a list of users. These users will be a member of the “Yubikey” group. Note that there are no others users in the list.

To assign a Yubikey, you will need.. you guessed it, a Yubikey. Click the “Assign Yubikey” button

You will need to provide the username of one of your Users. For example, I have used “euser1”

You will also need to provide an OTP from the Yubikey you wish to assign. Insert the Yubikey into a USB socket, and press the Golden button once the light comes on. (Press for 1 second).

Pressing the Yubikey will also issue the “Enter” key command. So it should complete the process itself. If for some reason it does not, click the “Create” button.

Now lets go back to our Users/Group list. Click “YubiRADIUS Virtual Appliance” on the left side panel, and then click on your domain.

Your Users/Group list will now show you have assigned One Yubikey

See attached screen shot

 

Step 9. Verify your User’s Radius authentication.

Click “YubiRADIUS Virtual Appliance” on the left side panel once more, then click the “Troubleshoot” tab.

In the “RadTest” section, enter the username, password and OTP (another 1 second press of the yubikey” and click the “Send Request” button.

This should successfully validate your radius, your OTP with the YubiCloud service hosted by Yubico, as well as your username and password credentials.

See attached screen shot

You can see here that the user’s password and OTP are joined together. The Example User1’s password is RedHat123, and the OTP consists of the KeyID + a OTP.

 

That’s it folks. You can now use the YubiRadius to authenticate normal Radius requests with you Yubikey as Two Factor Authentication

 

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>