Showing results for 
Search instead for 
Did you mean: 

Yubikey for Two Factor

Occasional Contributor

Yubikey for Two Factor

Has anyone tried, or thought about, using Yubikey's and a backend RADIUS to do two factor with an SSL box? We have an SA4000 and thought it would work. Im having issues with getting RADIUS and the backend working but if the SA wont work with it anyway there is no point pursuing it.
Super Contributor

Re: Yubikey for Two Factor

this looks just like a smart card solution only this is generating OTP instead of a cert. I dont see a reason why this should not work bec as long as this server can talked radius and you have a way to pass the credentials from this device through juniper back to the auth server it is just a radius call. Have you tried doing a tcp dump on the inside interface of juniper to see the auth traffic?
New Contributor

Re: Yubikey for Two Factor

I've been working my way through getting this working, and am close.

I have an SA-4500 cluster. First factor of authentication is against AD and goes fine. Authentication with the Yubikey to YubiRADIUS had been failing. Syslog on the YubiRADIUS claimed that the password field was null. But when I ran tcpdump, the Auth-Request packet contained a hash of the "User-Password" RADIUS attribute, so it's there.

I found that when I prepended the AD password to the Yubikey passcode in the RADIUS passcode field, authentication succeeded. There doesn't appear to be anything I can do with the Juniper config to solve this. Anyone have any idea what I might change to authenticate without entering my AD password twice? I'll contact Yubico support and update here once it's working.

The Yubikey solution looks great, but the YubiRADIUS appliance and directions are a little bit lacking. The server side is obviously still a work in progress.

New Contributor

Re: Yubikey for Two Factor

I figured it out today, though I have to warn everyone that I ended up having to change some scripting on the YubiRADIUS server to get it working.

It seems like the crux of the problem is that the YubiRADIUS server wants to behave as a proxy for AD/LDAP authentication, being the gateway to both factors of authentication. The SA wants those auth servers to be different and won't let you choose the RADIUS server for both factors of authentication.

There doesn't appear to be any way to configure the Juniper SA box to send the username and password in the necessary format. However, the YubiRADIUS' ykval process calls a php script - /usr/share/yropval/ykropval-verify.php - that is expecting to see the AD password. When it doesn't, the process rejects the auth attempt and exits. Making the following changes to the php file solves this:

Comment out the following lines from ykropval-verify.php:

if (! $passwd) {   // If password was not explicitly provided, we assume the password is anything   // before the last 44 characters in $otp (legacy mode).   if (strlen($otp) > 44) {     $passwd = substr ($otp, 0, -44);     $otp = strtolower(substr($otp, -44, 44));   } else {     $passwd = null;     $otp = strtolower($otp);   } }  if (! $passwd) {   // As ldap_bind returns true for null password we are insuring that password should not be null   $myLog->log(LOG_DEBUG, "NULL password is not allowed in two factor auth"); }

Change the following line from:

if ( !($otp && $user && $client && $password)){


if ( !($otp && $user && $client)){

Authentication succeeds after these changes. I'm verifying these changes with Yubico and will post their reply.