YubiRadius integration with group-validated Active Directory Users using LDAP

This article will show you how to set up the YubiRadius Virtual Appliance (v. 3.5.1) for User validation against a Microsoft Active Directory 2008R2 infrastructure.

You can obtain the YubiRadius Virtual Appliance from the good people over at Yubico, or just click here

This guide is not meant to show you how to configure a virtual appliance in your choice of Virtualization technology, although as I am using KVM, a special thanks to Gavin Spurgeon for getting this VA converted and working smoothly (even with virtio for the icing on the cake).

For details in configuring the Virtual Appliance you can reference the Yubico’s provided documentation here if you wish.

Now, before we begin, the details for the purpose of this article are as follows.

Active Directory Domain Controller: dc01.nt.example.com (10.0.2.11)

YubiRadius VA: yubiradius01.nt.example.com (10.0.2.31)

Group to be used for validation: “yubikey”

YubiRadius LDAP Bind Account: “yubiradius” (I have created this user in the “Users” OU)

YubiRadius LDAP Bind Password: “redhat123”

Example Users: wuser1, wuser2, wuser3

 

Step 1. Creation of non-admin Bind account, and Yubikey security group in Active Directory Users and Computers.

I won’t cover how to create users and groups in Active Directory, as I will assume that you will already know how to do this if you are reading this guide.

 

Step 2. Start to configure your YubiRadius through the webmin management page. Start by logging into your Yubiradius.

Browse to https://<hostname or ip of yubiradius>:10000

Log in with these details

Username: yubikey

Password: yubico

See attached screen shot

 

Step 3. Create a domain.

The first page you will be presented with, will be the Domain page, before continuing, enter your domain name and click the “Add Domain” button.

In my example, it is “nt.example.com”

See attached screen shot

 

Step 4. Import Users from Active Directory

Once you have created your domain, it will appear in the Domains list. Click your domain to enter the configuration.

You will see there is currently no users configured. Click on the “Users Import” tab to continue.

Use the following details to configure your User Import. You may notice that unlike my FreeIPA article, I have not selected to use a secure connection.

I HIGHLY recommend against using any form of unencrypted connection when dealing with Usernames and Passwords. However, for some reason with Active Directory 2008R2, I found the authentication process to be unstable and rarely successful if you use a secure connection. I will be addressing this with Yubico directly, but for the time being, you can get it working fine with an unsecured connection.

PLEASE BE AWARE: An unsecured connection in LDAP will mean all username and password details will be transmitted in clear text. So do so at your own risk.

If you wish to proceed, use the following details to configure the user import.

Use Secure Connection?  = No

LDAP/AD Server Address or Host Name = dc01.nt.example.com

Backup LDAP/AD Server Address or Host Name = (leave blank)

Port (use 0 or blank to use the default port) = 3268

Directory Type  = Active Directory

LDAP Version = 3

Base DN = cn=users,dc=nt,dc=example,dc=com

User DN = yubiradius@nt.example.com

Password = redhat123

Schedule = Hourly

Timeout (Seconds) = 0

Filter = (memberOf=cn=yubikey,ou=Users,dc=nt,dc=example,dc=com)

Notes = Blank

Login Name Identifier = sAMAccountName

 

Once you have filled in all the relevant details. Click the “save” button. Once you have saved your configuration. Click the “Import Users” button.

You will be presented with a window that should look as follows. If you receive an error, you may have made an error in your configuration in this step. You will want to go back to double check.

See attached screen shot

Once this has completed, click “Return to previous page”, and then click the “Users/Groups” tab at the top.

 

Step 5. Assign Yubikey(s) to your User(s)

You should now see a list of users. These users will be a member of the “Yubikey” group. If you don’t have any users listed, go back and check that you have users belonging to the “yubikey” security group you created earlier.

To assign a Yubikey, you will need.. you guessed it, Click the “Assign Yubikey” button.

You will need to provide the username of one of your Users. For example, I have used “euser1”

You will also need to provide an OTP from the Yubikey you wish to assign. Insert a Yubikey into a USB socket, and press the Golden button once the light comes on. (Press for 1 second).

Pressing the Yubikey will also issue the “Enter” key command. So it should complete the process itself. If for some reason it does not, click the “Create” button.

Now lets go back to our Users/Group list. Click “YubiRADIUS Virtual Appliance” on the left side panel, and then click on your domain.

Your Users/Group list will now show you have assigned One Yubikey

See attached screen shot

 

Step 6. Verify your User’s Radius authentication.

Click “YubiRADIUS Virtual Appliance” on the left side panel once more, then click the “Troubleshoot” tab.

In the “RadTest” section, enter the username, password and OTP (another 1 second press of the yubikey” and click the “Send Request” button.

This should successfully validate your radius, your OTP with the YubiCloud service hosted by Yubico, as well as your username and password credentials.

See attached screen shot

You can see here that the user’s password and OTP are joined together. The Windows User1’s password is RedHat123, and the OTP consists of the KeyID + a OTP.

 

That’s it folks. You can now use the YubiRadius to authenticate normal Radius requests with you Yubikey as Two Factor Authentication

 

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>