WiKID + OpenLDAP + Freeradius Howto - Page 2

Want to support HowtoForge? Become a subscriber!
 
Submitted by nowen (Contact Author) (Forums) on Wed, 2011-01-05 18:02. ::

Configuring the WiKID Strong Authenication Server

Now that we've configured Freeradius to proxy authentications, we need to configure WiKID to accept them. See the WiKID installation manual for the details on how to install and configure the WiKID server. Here we're just going to be adding a radius network client for Freeradius:

Log into the WiKIDAdmin web interface:

Click on the Network Clients tab:

Network Clients page

Click on "Create New Network Client". Give the Network Client a name, specify the IP address, select Radius as the protocol and choose which WiKID Domain to use. (WiKID domains hold the users and specify certain security parameters such as PIN length, the lifetime of the one-time passcodes, max bad PIN/passcode attempts, etc.)

two-factor auth + openldap + freeradius

Click Add.

On the next page, enter the Shared Secret. This is the same secret you entered in NPS above in the second tab of the 'Add Radius Server' step on the NPS. Be sure these match! WiKID support adding radius return attributes at the Network Client level and on a per-user group level, however, that is beyond the scope of this document.

Add Shared Secret

You will get a notice that the network client has been added. You will need to restart the WiKID server from the command line. This loads the network client into the radius interface and opens the radius ports on the built-in WiKID firewall:

# wikidctl restart

 

Running the WiKID Software token

Start the WiKID token and select the Domain associated with the SSH Gateway:

Enter the PIN:

And you will get back the one-time passcode. The OTP is time-bounded, but the time can be set on the WiKID server to whatever you want:

The user simply enters the one-time passcode when prompted by SSH.

The token can also be run from the command line, which is quote convenient for SSH:

java -cp jWiKID-3.1.3.jar:jwcl.jar com.wikidsystems.jw.JWcl domainid

Were domainid is the 12 digit domain identifier.

 

Conclusion

OpenLDAP and Freeradius are great open-source projects. It should be noted that since we are adding two-factor authentication using the standard Radius protocol a similar setup can be constructed with other LDAP and Radius solutions. That's the benefit of standards!

Learn more about WiKID's Two-factor Authentication System.


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.