🔐 1. privacyIDEA
- Website: privacyidea.org
- Auth Methods: TOTP, HOTP, Push, U2F, YubiKey, SMS, Email
- Integration:
- Native AD/LDAP integration
- RADIUS module for AD auth
- Highlights:
- Enterprise-grade open source
- Web interface and policies
- Plugins for PAM, Apache, NGINX, and more
- Use Case: Best for centralized token management across multiple services including AD.
🔐 2. LinOTP
- Website: www.linotp.org
- Auth Methods: TOTP, HOTP, SMS, Email, and more
- Integration:
- LDAP/Active Directory
- RADIUS proxy
- Highlights:
- Modular token support
- Admin web UI
- Also integrates with Windows logon (with additional setup)
🔐 3. Authelia
- Website: authelia.com
- Auth Methods: TOTP, Duo, WebAuthn
- Integration:
- LDAP/AD backend for auth
- Best used in front of web services (via reverse proxy like NGINX or Traefik)
- Highlights:
- More web service-focused, but can guard internal apps using AD
- 2FA policies by group, endpoint, etc.
🔐 4. Aegis Secure Login (for Windows)
- GitHub: Aegis
- Auth Methods: TOTP
- Integration:
- Local and AD Windows Logon
- Highlights:
- Open source alternative to Duo for Windows login
- Lightweight, native Windows experience
🧰 5. Keycloak (w/ FreeIPA or LDAP)
- Website: www.keycloak.org
- Auth Methods: TOTP, WebAuthn, OTP, SMS (via plugins)
- Integration:
- AD via LDAP
- SAML/OIDC front for applications
- Highlights:
- Enterprise-grade identity provider
- Best for securing AD-connected web apps
Bonus: RADIUS + AD + 2FA Gateway Stack
If you’re into building your own stack:
- Use FreeRADIUS or OpenRADIUS
- Pair with privacyIDEA or LinOTP for 2FA
- Backend: Active Directory via LDAP or RADIUS proxy
This setup works great for adding 2FA to VPNs, SSH, and web logins with AD-backed identity.