yubico
After importing the Users along with their hierarchical information from LDAP/AD, any group which does not contain any (imported) users are not displayed in the Users/Group tab.
13.2 Importing users with a specific group membership:
YubiRADIUS can be set up to import users from different OUs but having specific group membership. The Directory administrator can set up a new group in AD called “testing”. The group “testing” can then be added to the AD import filtering import criteria and thereby only users in the “testing” group will be imported. See below for steps to set it up:
1) We are assuming that the Active Directory domain is yubiradius.com and all the users that need to use Yubikeys have been assigned to be members of the group called
“testing”. The complete distinguished name (DN) of the “testing” group is
“CN=testing,CN=Users,DC=yubiradius,DC=com”
2) In order to import only users belonging to this group, “testing” under OU “Users”, you need to provide the Filter in the “Users Import” field as follows:
“memberOf=CN=testing,OU=Users,DC=yubiradius,DC=com”
3) The rest of the parameters will remain the same. A sample import configuration with all parameters filled out is shown on the image below:
13.3 Importing users from multiple groups:
1) It is possible to import users belonging to multiple groups. See the example below.
yubico
2) In the domain Yubiradius.com you need to import the users belonging to both groups
“testing” and “marketing”
3) The complete DN of testing group is “CN=testing,CN=Users,DC=yubiradius,DC=com”.
4) The complete DN of marketing group is
“CN=marketing,OU=test,DC=yubiradius,DC=com”
5) In order to import only users belonging to both these two groups, you need to apply the Filter in the “Users Import” field as follows:
(|(memberOf=CN=testing,CN=Users,DC=yubiradius,DC=com)(memberOf=CN=marketi ng,OU=test,DC=yubiradius,DC=com))
6) The rest of the parameters will remain the same. A sample import configuration with all parameters filled out is shown on the image below:
That if username is changed in AD/LDAP, after importing users again, then the new username gets assigned to respective uid and all the YubiKey credentials get assigned to the new username.
yubico
14 Appendix 5: Web API
The Yubikey provides secure additional authentication factor to web services and the various other applications. YubiRADIUS Validation Protocol is a Web API from YubiRADIUS virtual Appliance that can be used for YubiKey-based strong two-factor authentications using an existing enterprise directory. The Web API leverages existing YubiRADIUS capabilities to provide strong two-factor authentication.
The Web API verifies the username+password+Yubikey OTP as per the configuration defined in the YubiRADIUS Virtual Appliance. Web API validate the OTP first with online validation server and if that fails then with Local validation server. After successful validation it will verify username password with LDAP or AD then it checks the mapping of the registered YubiKey and provided OTP. If the Yubikey is not mapped to any user and Auto Provisioning is enabled then that YubiKey will; automatically be assigned to the user that supplied the OTP.
Please Refer following document for more information about the Web API
YubiRADIUS_validation_protocol.pdf is available from the http:www.yubico.com/yubiradius/
page
yubico
15 Appendix 6: YubiApp Registration
‘YubiApp Registration’ service provides ability to generate keys to provision the YubiApp software based backup to physical YubiKey(s) to be used on Smartphone or Tablets. This allows a user to use a backup method on the phone if a user forgets their YubiKey at home or while waiting for a new YubiKey if the physical YubiKey gets lost or stolen.
The backup YubiApp requires the user’s physical YubiKey to register and generate the AES key to be used in the YubiApp. Up to three YubiApps can be registered for each physical YubiKey.
Once registered the YubiApp provides the user with two factor YubiKey authentication on Smartphones or Tablets without having immediate access to the physical YubiKey.
Please note that because the AES key for the YubiApp is stored on the Device the YubiApp does not provide the same security against being hacked compared to a physical YubiKey and should only be used most sparingly in an organization.
1) Configuration:
‘YubiApp Registration’ service must be enabled at two levels:
First Global configuration to enable YubiApp
:
Administrator can enable/disable YubiApp registration at a global level in ‘General’ menu from
‘Global Configuration’ tab.
Please note that Global enabling/disabling the YubiApp Registration will affect all the domains.
See next page for enabling YubiApp at the Domain level.
Next Domain Configuration to enable YubiApp:
yubico
Administrator can enable/disable the domain level YubiApp configuration under domain>>
Configuration tab.
2) YubiApp registration:
User can access ‘YubiApp Registration’ service on following URL:
https://<IP address of the YubiRADIUS virtual appliance>/YubiApp/
Above URL will take the user to YubiApp Registration page.
YubiApp Registration page also provides the link to download the android application for mobile phones.
For example, we have user1 from ‘yubiradius.com’
yubico
Note that if YubiRADIUS contains only a single domain, then the YubiApp registration can be done by simply entering the login name rather than the login name followed by the domain name.
For example: If we have user1 from yubiradius.com, and ‘yubiradius.com’ is the only domain available, then the user can enter ‘user1’ as a Username for YubiApp registration, as opposed to [email protected]. Please refer following screenshot:
If Username, Password and OTP (One Time Password) from physical YubiKey is valid, then only ‘YubiApp Registration’ allows user to create (backup YubiKey) soft-YubiKey tokens.
After a successful validation, a user can select any key as a backup YubiKey in YubiKey Type drop-down box.
When a user selects a backup YubiKey from ‘YubiKey Type’, the corresponding QR code gets generated. Then the user will need to capture the QR code in the mobile device and will be able to generate the soft key tokens.
Once the user clicks on the ‘Continue to upload AES key’, the backup YubiKey gets added to the database and gets assigned to the corresponding user.
yubico
Hence the user can self-generate YubiApp (Soft-YubiKey OTPs) for their smart phone for mobile based two factor authentication.
YubiKey Import File:
When the ‘YubiApp Registration’ successfully completes, the corresponding backup Yubikey details (like AES Key, Public Id) gets stored in the ‘YubiApp_import.csv’ file which is present at location: /var/www/YubiApp/import.
Under Synchronization tab, administrators can import the ‘YubiApp_import.csv’ file on
synchronized instances so that backup YubiKey functionality can be used with synchronization.
‘YubiApp_import.csv’ file is a log file containing backup YubiKey credentials in the “Original Windows Personalization Tool format”.
(1,ejcbfgjjlftu,108c23fed523,6f4e4acb435b11455f8daa6dc49e41dd,000000000000,,,)
The Administrator can import ‘YubiApp_import.csv’ file manually from ‘YubiKeys Import’ tab of the corresponding domain to add these backup YubiKeys on synchronized instances.
yubico
16 Appendix 7: YubiRADIUS Virtual Appliance Port Information
Sr. No Protocol Port
1. LDAP 389
2. LDAPS 636
3. Webmin 10000
4. Validation Request to the YubiHSM
8002
5. freeradius 1812
6. Web-API 80
7. ykval 80
8. ykropval 80
9. Ykmap-sync 80
10. Ykval-sync 80