U2F with Freeradius


I was wondering if that scenario should work in theory.

PI bound to Freeradius with privacyidea_radius.pm.
I’ve successfully registered a Yubikey 4 as U2F Token in PI.

Should it be possible to use that U2F token as an OTP-Token to authenticate at a third-party webservice (VMware UAG). The webservice is connected via the Freeradius server to PI and just asks after the OTP.

I’ve also configured u2f facets but didn’t get it running.

Thank you,

U2F is a pain in the a**.

From a user perspective it looks totally nice and I would ask every service provider on the internet, every portal, every web shop to implement it. (In this case each service takes care of registration and authentication - which is the originial design of U2F).

But U2F is totally made for HTTP! If you want to use it anywhere else it means bending technology and this is where we are at my first sentence :wink:

  1. Your UAG has to support U2F from a javascript point of view. (Which might be implemented there).
  2. Your UAG has to be able to communicate to privacyIDEA. (Which is very likely not implemented there)
  3. Passing the challenge response through RADIUS challenge response is most probably not possible, not supported by privacyIDEA RADIUS and very most probably not supported by UAG - which would be the RADIUS client.

You should not use U2F for an infrastructure under your control! Why would you use it in the first place? Save some money on hardware? Get a nitrokey or a yubikey. You can initialize the secret key and be much more secure than with the usual u2f device, which usually derives all key pairs from a master key you can not change.

(Sorry for this U2F rant :wink:

Thanks for your detailed and honest answer. Seems U2F is not the way to go for that setup :wink: