PREREQUISITES

sudo apt-get install libpam-oath freeradius

FREERADIUS FILES

/etc/freeradius/clients.conf

client localhost {
  ipaddr = 127.0.0.1
  secret = radius
  require_message_authenticator = no
  shortname = localhost
  nastype = other
}
client vpnserver {
  ipaddr = 10.0.0.200
  secret = radius
}

/etc/freeradius/users

DEFAULT Auth-Type = PAM

/etc/freeradius/modules/pam

pam {
  pam_auth = radiusd
}

/etc/freeradius/sites-enabled/pam-oath

authorize {
  files
  expiration
}
authenticate {
  pam
}
accounting {
}
session {
}

PAM CONFIGURATION

Create /etc/pam.d/radiusd with the following contents:

auth requisite pam_oath.so usersfile=/etc/freeradius/users.oath window=20 digits=8

ADDING NEW USERS

To add a new user, add the username and Yubikey secret to /etc/freeradius/users.oath. The secret is a 40-digit hexadecimal string.

HOTP [username] - [secret]

The /etc/freeradius/users.oath file contains additional fields which are populated by pam-oath upon successful authentication.

TESTING AUTHENTICATION

Start the RADIUS server in debug mode:

/usr/sbin/freeradius -X

In another terminal:

radtest [username] [password] 127.0.0.1 0 [secret]