Hi All,
I'm trying to set up a Cisco/Meraki VPN appliance to authenticate to FreeIPA using two factor authentication (I have Google Authenticator and Yubikey set up and working in FreeIPA) Meraki can do Radius to authenticate a user I've set up a FreeRadius server and set it up to use FreeIPA as the authentication source I tried the following as the back end in Radius: LDAP: can authenticate both with password and password+OTP, but if I want to enforce OTP on VPN, I need to enforce OTP on all users, which is not what we want Kerberos: I've set up a 'vpn' principle and can enforce 2FA on it First I got 'ERROR: krb5 : Error verifying credentials (-1765328174): Generic preauthentication failure', so I set up 'Anonymous kerberos' (which is an adventure by itself), but it's still not working
It might be possible to use Radius -> PAM, but I'm not sure how
Any help appreciated,
Gabriel
P.s. Meraki Wireless (WPA2-Enterprise) and 802.1x port security work fine against the Radius server (No 2FA required)
freeipa-users@lists.fedorahosted.org