Atm I have a Univention domaincontroller with win10 PCs in the office and some openvpn clients to the server with a opnsense firewall.
We want to switch to 2FA auth with yubikeys.
Is PrivacyID3A the missing link, for 2FA in the above scenario?
I want to do this step by step, or is it better to do all in once.
PrivacyID3A behind the firewall, or on the public IP in the office?
It can a lot of work for you. Contiue reading and decide for yourself!
I would put it behind the firewall. In the first step you probably only want to authenticate users on the VPN. Since the VPN can talk to systems in the internal network or DMZ this is the right location for privacyIDEA.
Short answer: You can not “integrate” privacyIDEA into Univention Corporate Server. Your Windows Clients are probably authenticating against UCS via Kerberos, which is Heimdal on the UCS.
This does not support adding 3rd party auth servers.
You could however use the privacyIDEA Credential Provider as a local component on each Windows Client. But then you would get problems, if the Clients get ouside of your network. They need to be able to reach privacyIDEA.
I would do this first as a low handing fruit. You can do this via PAM and FreeRADIUS.
Take a look here