From Fedora Project Wiki

Line 51: Line 51:


Once we are logged in as a non-OTP user, we can do a FAST OTP authentication:
Once we are logged in as a non-OTP user, we can do a FAST OTP authentication:
  # <nowiki>kinit -T `klist | grep cache | cut -d':' -f2-` otp</nowiki>
  # <nowiki>kinit -T `klist | grep cache | cut -d':' -f2-` radius</nowiki>


You should now be prompted to "Enter OTP Token Value:". Enter the RADIUS credentials here. If you are using the internal testing RADIUS server, the password is "accept". If you are using your own third-party RADIUS server, you will need to enter whatever credentials are required for your server.
You should now be prompted to "Enter OTP Token Value:". Enter the RADIUS credentials here. If you are using the internal testing RADIUS server, the password is "accept". If you are using your own third-party RADIUS server, you will need to enter whatever credentials are required for your server.

Revision as of 15:30, 5 June 2013

Description

External OTP.

Setup

Prerequisites

  1. A FreeIPA instance setup like this.
  2. Optional: A third-party 2FA system with RADIUS support.

How to test

Preparation

Log in as the admin:

# kinit admin

Create a user for external testing:

# ipa user-add radius --random

Log in as the new user. This will force a password change. This is important since OTP does not yet implement password changing.

# kinit radius
Note.png
Password
Remember the password you create! It is your first factor.

Enabling External 2FA

Log back in as the admin:

# kinit admin

Once you have done this you have several options for testing RADIUS support, each listed below. Once these steps are performed, the user 'radius' can only log in via two factors.

Option 1 - Internal Testing RADIUS Server

Enable the test user for the internal RADIUS Server.

# ipa-testday-radius radius
Option 2 - External RADIUS Server

Enable the test user for the external RADIUS Server.

# ipa-testday-radius radius radius.mycompany.com:1812 MyRADIUSSecret
Option 2 - External RADIUS Server with Username Override

Enable the test user for the external RADIUS Server.

# ipa-testday-radius radius radius.mycompany.com:1812 MyRADIUSSecret MyUsername

Testing Two-Factor Authentication

Clients which will support OTP, like SSSD, will enable FAST automatically. However, for testing purposes, kinit requires manual configuration.

First, we need to log in as the admin user (or really any non-OTP user) so that we can use this user's ccache to enable FAST.

# kinit admin

Once we are logged in as a non-OTP user, we can do a FAST OTP authentication:

# kinit -T `klist | grep cache | cut -d':' -f2-` radius

You should now be prompted to "Enter OTP Token Value:". Enter the RADIUS credentials here. If you are using the internal testing RADIUS server, the password is "accept". If you are using your own third-party RADIUS server, you will need to enter whatever credentials are required for your server.

If all went well, issuing a 'klist' command should show you as having successfully authenticated against RADIUS!

Expected Results

All the test steps should end with the specified results.