It seem I don't have these logs:
[root@master ~]# systemctl list-units | grep ipa
ipa-custodia.service
loaded active running IPA Custodia Service
ipa-dnskeysyncd.service
loaded active running IPA key daemon
ipa.service
loaded active exited Identity, Policy, Audit
ipa-otpd.socket
loaded active listening ipa-otpd socket
ipa-ccache-sweep.timer
loaded active elapsed Remove Expired Kerberos
Credential Caches
[root@master ~]# systemctl status ipa-otpd.socket
● ipa-otpd.socket - ipa-otpd socket
Loaded: loaded (/usr/lib/systemd/system/ipa-otpd.socket; disabled;
vendor preset: disabled)
Active: active (listening) since Wed 2022-11-16 17:32:04 CET; 4h 4min
ago
Until: Wed 2022-11-16 17:32:04 CET; 4h 4min ago
Listen: /run/krb5kdc/DEFAULT.socket (Stream)
Accepted: 0; Connected: 0;
CGroup: /system.slice/ipa-otpd.socket
Nov 16 17:32:04 master.idm.cmcc.scc systemd[1]: Listening on ipa-otpd
socket.
[root@master ~]# journalctl -xeu ipa-otpd
~
~
Where can I check?
In any case, is it right to insert as first factor the password of user
defined in ipa and as second factor the password defined in radius?
Looking radius logs, it seems it didn't receive communication from ipa
server (client radius).
Thanks
Il giorno mer 16 nov 2022 alle ore 19:29 Rob Crittenden <rcritten(a)redhat.com>
ha scritto:
Giuseppe Calo wrote:
> Hi Rob.
>
> I have installed and confgured freeradius, then I configured a radius
> client and one user radius. I checked for selinux and firewall, all it
> is ok. Rddtest works well on radius client. Radius client is freeipa
> server. On freeipa server I add radius server specifing its fqdn and
> secret then I configured a user with authentication metod radius,
> specifing the just added proxy server. If i try to ssh login on ipa
> client with new user, prompt ask me first and second factor. As first I
> insert user ipa password and as second, the user radius password (the
> username on radius and ipa is the same). Please note that on radius I
> didn't enable any module(pam, ldap). What I'm wro g? Thanks
I'd check the journal for ipa-otpd logging. That may provide some clues.
rob
>
> Il mer 16 nov 2022, 15:51 Rob Crittenden <rcritten(a)redhat.com
> <mailto:rcritten@redhat.com>> ha scritto:
>
> Giuseppe Calo via FreeIPA-devel wrote:
> > Hi all, I installed simple freeradius (not enabled particular
> module),I configured radisu client, one simple user (only password)
> and added RADIUS-proxy in FreeIPA, but my RADIUS-server do not get
> requests from remote client. But test-util "radtest"
> > from this server work fine.
> >
> > What am I doing wrong?
> > Can somebody explain better the utility ipa radius proxy?
>
> We need more information on what you've already done.
>
> rob
>