From Fedora Project Wiki

Description

External OTP.

Setup

Prerequisites

  1. A FreeIPA instance setup like this.
  2. Optional: A third-party 2FA system with RADIUS support.

How to test

Preparation

Log in as the admin:

# kinit admin

Create a user for external testing:

# ipa user-add radius --random

Log in as the new user. This will force a password change. This is important since OTP does not yet implement password changing.

# kinit radius

Enabling External 2FA

Log back in as the admin:

# kinit admin

Once you have done this you have several options for testing RADIUS support, each listed below. Once these steps are performed, the user 'radius' can only log in via two factors.

Option 1 - Internal Testing RADIUS Server

Enable the test user for the internal RADIUS Server.

# ipa-testday-radius radius
Option 2 - External RADIUS Server

Enable the test user for the external RADIUS Server.

# ipa-testday-radius radius radius.mycompany.com:1812 MyRADIUSSecret
Option 2 - External RADIUS Server with Username Override

Enable the test user for the external RADIUS Server.

# ipa-testday-radius radius radius.mycompany.com:1812 MyRADIUSSecret MyUsername

Testing Two-Factor Authentication

Clients which will support OTP, like SSSD, will enable FAST automatically. However, for testing purposes, kinit requires manual configuration.

First, we need to log in as the admin user (or really any non-OTP user) so that we can use this user's ccache to enable FAST.

# kinit admin

Once we are logged in as a non-OTP user, we can do a FAST OTP authentication:

# kinit -T `klist | grep cache | cut -d':' -f2-` radius

You should now be prompted to "Enter OTP Token Value:". Enter the RADIUS credentials here. If you are using the internal testing RADIUS server, the password is "accept". If you are using your own third-party RADIUS server, you will need to enter whatever credentials are required for your server.

If all went well, issuing a 'klist' command should show you as having successfully authenticated against RADIUS!

Testing for Failure

Now that we know everything is working, let's ensure that bad passwords actually cause authentication to fail. Simply issue the following command and enter random token values to confirm failure:

# kinit -T `klist | grep cache | cut -d':' -f2-` radius

Expected Results

All the test steps should end with the specified results.