12:33 a.m.
Hi all, I installed simple freeradius (not enabled particular module),I configured radisu
client, one simple user (only password) and added RADIUS-proxy in FreeIPA, but my
RADIUS-server do not get requests from remote client. But test-util "radtest"
from this server work fine.
What am I doing wrong?
Can somebody explain better the utility ipa radius proxy?
Thanks
8:51 a.m.
Giuseppe Calo via FreeIPA-devel wrote:
Hi all, I installed simple freeradius (not enabled particular
module),I configured radisu client, one simple user (only password) and added RADIUS-proxy
in FreeIPA, but my RADIUS-server do not get requests from remote client. But test-util
"radtest"
from this server work fine.
What am I doing wrong?
Can somebody explain better the utility ipa radius proxy?
We need more information on what you've already done.
rob
11:43 a.m.
Hi Rob.
I have installed and confgured freeradius, then I configured a radius
client and one user radius. I checked for selinux and firewall, all it is
ok. Rddtest works well on radius client. Radius client is freeipa server.
On freeipa server I add radius server specifing its fqdn and secret then I
configured a user with authentication metod radius, specifing the just
added proxy server. If i try to ssh login on ipa client with new user,
prompt ask me first and second factor. As first I insert user ipa password
and as second, the user radius password (the username on radius and ipa is
the same). Please note that on radius I didn't enable any module(pam,
ldap). What I'm wro g? Thanks
Il mer 16 nov 2022, 15:51 Rob Crittenden <rcritten(a)redhat.com> ha scritto:
Giuseppe Calo via FreeIPA-devel wrote:
> Hi all, I installed simple freeradius (not enabled particular module),I
configured radisu client, one simple user (only password) and added
RADIUS-proxy in FreeIPA, but my RADIUS-server do not get requests from
remote client. But test-util "radtest"
> from this server work fine.
>
> What am I doing wrong?
> Can somebody explain better the utility ipa radius proxy?
We need more information on what you've already done.
rob
12:29 p.m.
Giuseppe Calo wrote:
Hi Rob.
I have installed and confgured freeradius, then I configured a radius
client and one user radius. I checked for selinux and firewall, all it
is ok. Rddtest works well on radius client. Radius client is freeipa
server. On freeipa server I add radius server specifing its fqdn and
secret then I configured a user with authentication metod radius,
specifing the just added proxy server. If i try to ssh login on ipa
client with new user, prompt ask me first and second factor. As first I
insert user ipa password and as second, the user radius password (the
username on radius and ipa is the same). Please note that on radius I
didn't enable any module(pam, ldap). What I'm wro g? Thanks
I'd check the journal for ipa-otpd logging. That may provide some clues.
rob
Il mer 16 nov 2022, 15:51 Rob Crittenden <rcritten(a)redhat.com
<mailto:rcritten@redhat.com>> ha scritto:
Giuseppe Calo via FreeIPA-devel wrote:
> Hi all, I installed simple freeradius (not enabled particular
module),I configured radisu client, one simple user (only password)
and added RADIUS-proxy in FreeIPA, but my RADIUS-server do not get
requests from remote client. But test-util "radtest"
> from this server work fine.
>
> What am I doing wrong?
> Can somebody explain better the utility ipa radius proxy?
We need more information on what you've already done.
rob
2:39 p.m.
It seem I don't have these logs:
[root@master ~]# systemctl list-units | grep ipa
ipa-custodia.service
loaded active running IPA Custodia Service
ipa-dnskeysyncd.service
loaded active running IPA key daemon
ipa.service
loaded active exited Identity, Policy, Audit
ipa-otpd.socket
loaded active listening ipa-otpd socket
ipa-ccache-sweep.timer
loaded active elapsed Remove Expired Kerberos
Credential Caches
[root@master ~]# systemctl status ipa-otpd.socket
● ipa-otpd.socket - ipa-otpd socket
Loaded: loaded (/usr/lib/systemd/system/ipa-otpd.socket; disabled;
vendor preset: disabled)
Active: active (listening) since Wed 2022-11-16 17:32:04 CET; 4h 4min
ago
Until: Wed 2022-11-16 17:32:04 CET; 4h 4min ago
Listen: /run/krb5kdc/DEFAULT.socket (Stream)
Accepted: 0; Connected: 0;
CGroup: /system.slice/ipa-otpd.socket
Nov 16 17:32:04 master.idm.cmcc.scc systemd[1]: Listening on ipa-otpd
socket.
[root@master ~]# journalctl -xeu ipa-otpd
~
~
Where can I check?
In any case, is it right to insert as first factor the password of user
defined in ipa and as second factor the password defined in radius?
Looking radius logs, it seems it didn't receive communication from ipa
server (client radius).
Thanks
Il giorno mer 16 nov 2022 alle ore 19:29 Rob Crittenden <rcritten(a)redhat.com>
ha scritto:
Giuseppe Calo wrote:
> Hi Rob.
>
> I have installed and confgured freeradius, then I configured a radius
> client and one user radius. I checked for selinux and firewall, all it
> is ok. Rddtest works well on radius client. Radius client is freeipa
> server. On freeipa server I add radius server specifing its fqdn and
> secret then I configured a user with authentication metod radius,
> specifing the just added proxy server. If i try to ssh login on ipa
> client with new user, prompt ask me first and second factor. As first I
> insert user ipa password and as second, the user radius password (the
> username on radius and ipa is the same). Please note that on radius I
> didn't enable any module(pam, ldap). What I'm wro g? Thanks
I'd check the journal for ipa-otpd logging. That may provide some clues.
rob
>
> Il mer 16 nov 2022, 15:51 Rob Crittenden <rcritten(a)redhat.com
> <mailto:rcritten@redhat.com>> ha scritto:
>
> Giuseppe Calo via FreeIPA-devel wrote:
> > Hi all, I installed simple freeradius (not enabled particular
> module),I configured radisu client, one simple user (only password)
> and added RADIUS-proxy in FreeIPA, but my RADIUS-server do not get
> requests from remote client. But test-util "radtest"
> > from this server work fine.
> >
> > What am I doing wrong?
> > Can somebody explain better the utility ipa radius proxy?
>
> We need more information on what you've already done.
>
> rob
>
7:11 a.m.
On ke, 16 marras 2022, Giuseppe Calo via FreeIPA-devel wrote:
It seem I don't have these logs:
[root@master ~]# systemctl list-units | grep ipa
ipa-custodia.service
loaded active running IPA Custodia Service
ipa-dnskeysyncd.service
loaded active running IPA key daemon
ipa.service
loaded active exited Identity, Policy, Audit
ipa-otpd.socket
loaded active listening ipa-otpd socket
ipa-ccache-sweep.timer
loaded active elapsed Remove Expired Kerberos
Credential Caches
[root@master ~]# systemctl status ipa-otpd.socket
● ipa-otpd.socket - ipa-otpd socket
Loaded: loaded (/usr/lib/systemd/system/ipa-otpd.socket; disabled;
vendor preset: disabled)
Active: active (listening) since Wed 2022-11-16 17:32:04 CET; 4h 4min
ago
Until: Wed 2022-11-16 17:32:04 CET; 4h 4min ago
Listen: /run/krb5kdc/DEFAULT.socket (Stream)
Accepted: 0; Connected: 0;
CGroup: /system.slice/ipa-otpd.socket
Nov 16 17:32:04 master.idm.cmcc.scc systemd[1]: Listening on ipa-otpd
socket.
[root@master ~]# journalctl -xeu ipa-otpd
~
~
Where can I check?
In any case, is it right to insert as first factor the password of user
defined in ipa and as second factor the password defined in radius?
That is certainly not supported. When RADIUS proxy is used for user's
authentication, both factors passed unchanged to the RADIUS server and
the result of authentication by the RADIUS server is expected to define
whether user is authenticated or not.
This also only works over Kerberos. Please see detailed flow described
in https://freeipa.readthedocs.io/en/latest/designs/ldap_pam_passthrough.html
where LDAP passthrough is not implemented (that's a design page, not
documentation for existing feature) but the current flow is discussed.
Looks like your setup is incomplete. In order to help, we need to see
exact steps that you have done to configure and test the setup and
output you have received. Please provide the exact output, not
paraphrase.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
8:25 a.m.
Thanks Alexander,
these are the steps I applied -->
**********************************
on Radius server:
[root@radius ~]# yum install freeradius freeradius-utils freeradius-mysql freeradius-perl
freeradius-ldap
[root@radius raddb]# vi clients.conf
client ipa {
ipaddr = 192.168.0.0/24
proto = *
secret = xxxxxx
require_message_authenticator = no
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
secret = xxxxxx
}
[root@radius raddb]# vi users| egrep -v "#"
user-test Cleartext-Password := "testpass"
Reply-Message := "Hello, %{User-Name}"
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP
[root@radius raddb]# service radiusd restart
[root@radius raddb]# radtest user-test testpass 192.168.0.15 100 xxxxxx
Sent Access-Request Id 10 from 0.0.0.0:40950 to 192.168.0.15:1812 length 76
User-Name = "user-test"
User-Password = "testpass"
NAS-IP-Address = 192.168.0.15
NAS-Port = 100
Message-Authenticator = 0x00
Cleartext-Password = "testpass"
Received Access-Accept Id 10 from 192.168.0.15:1812 to 192.168.0.15:40950 length 35
Reply-Message = "Hello, user-tets"
****************************************
on ipa server:
yum install freeradius freeradius-utils
to check with
[root@ipa]# radtest user-test testpass 192.168.0.15 100 xxxxxx
Sent Access-Request Id 10 from 0.0.0.0:40950 to 192.168.0.15:1812 length 76
User-Name = "user-test"
User-Password = "testpass"
NAS-IP-Address = 192.168.0.15
NAS-Port = 100
Message-Authenticator = 0x00
Cleartext-Password = "testpass"
Received Access-Accept Id 10 from 192.168.0.15:1812 to 192.168.0.15:48259 length 35
Reply-Message = "Hello, user-tets"
ipa radiusproxy-add radius-server --server=radius.xxxx.yyy:1812
ipa radiusproxy-mod radius-server --secret xxxxxx
ipa user-mod --radius=radius-server --radius-username=user-test user-ipa
Form a client:
ssh server.my.domain -l user-ipa
First Factor: (password from ipa)
Second Factor: (password from radius)
First Factor: (password from radius)
Second Factor: (blank)
ipa-user(a)server.my.domain 's password:
Permission denied, please try again.
ipa-user(a)server.my.domain's password:
Received disconnect from x.x.x.x port 22:2: Too many authentication failures
Disconnected from x.x.x.x port 22
No log collected for this session on
/var/log/radius/radius.log
What else have I to enable?
Thanks and sorry for the delay
4:22 a.m.
Hi,
On Tue, Nov 22, 2022 at 3:34 PM Giuseppe Calo via FreeIPA-devel <
freeipa-devel(a)lists.fedorahosted.org> wrote:
Thanks Alexander,
these are the steps I applied -->
**********************************
on Radius server:
[root@radius ~]# yum install freeradius freeradius-utils freeradius-mysql
freeradius-perl freeradius-ldap
[root@radius raddb]# vi clients.conf
client ipa {
ipaddr = 192.168.0.0/24
proto = *
secret = xxxxxx
require_message_authenticator = no
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
client localhost_ipv6 {
ipv6addr = ::1
secret = xxxxxx
}
[root@radius raddb]# vi users| egrep -v "#"
user-test Cleartext-Password := "testpass"
Reply-Message := "Hello, %{User-Name}"
DEFAULT Framed-Protocol == PPP
Framed-Protocol = PPP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "CSLIP"
Framed-Protocol = SLIP,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "SLIP"
Framed-Protocol = SLIP
[root@radius raddb]# service radiusd restart
[root@radius raddb]# radtest user-test testpass 192.168.0.15 100 xxxxxx
Sent Access-Request Id 10 from 0.0.0.0:40950 to 192.168.0.15:1812 length
76
User-Name = "user-test"
User-Password = "testpass"
NAS-IP-Address = 192.168.0.15
NAS-Port = 100
Message-Authenticator = 0x00
Cleartext-Password = "testpass"
Received Access-Accept Id 10 from 192.168.0.15:1812 to 192.168.0.15:40950
length 35
Reply-Message = "Hello, user-tets"
****************************************
on ipa server:
yum install freeradius freeradius-utils
to check with
[root@ipa]# radtest user-test testpass 192.168.0.15 100 xxxxxx
Sent Access-Request Id 10 from 0.0.0.0:40950 to 192.168.0.15:1812 length
76
User-Name = "user-test"
User-Password = "testpass"
NAS-IP-Address = 192.168.0.15
NAS-Port = 100
Message-Authenticator = 0x00
Cleartext-Password = "testpass"
Received Access-Accept Id 10 from 192.168.0.15:1812 to 192.168.0.15:48259
length 35
Reply-Message = "Hello, user-tets"
ipa radiusproxy-add radius-server --server=radius.xxxx.yyy:1812
ipa radiusproxy-mod radius-server --secret xxxxxx
ipa user-mod --radius=radius-server --radius-username=user-test user-ipa
Which authentication types are allowed for the user?
# ipa user-show user-ipa
# ipa config-show
Form a client:
ssh server.my.domain -l user-ipa
First Factor: (password from ipa)
Second Factor: (password from radius)
First Factor: (password from radius)
Second Factor: (blank)
ipa-user(a)server.my.domain 's password:
Permission denied, please try again.
ipa-user(a)server.my.domain's password:
Received disconnect from x.x.x.x port 22:2: Too many authentication
failures
Disconnected from x.x.x.x port 22
For me it's working if I set the authentication types to radius only, and
provide the radius password as First Factor, and a blank value as second
factor.
If the authentication types contain both radius and password, it looks like
the request doesn't reach the radius server.
flo
No log collected for this session on
/var/log/radius/radius.log
What else have I to enable?
Thanks and sorry for the delay
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedoraho...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
6:55 a.m.
Thanks Flo,
I'll try as soon as possible and I ll let you know.
Regards,
Giuseppe.
Il mar 20 dic 2022, 11:22 Florence Blanc-Renaud <flo(a)redhat.com> ha scritto:
Hi,
On Tue, Nov 22, 2022 at 3:34 PM Giuseppe Calo via FreeIPA-devel <
freeipa-devel(a)lists.fedorahosted.org> wrote:
> Thanks Alexander,
> these are the steps I applied -->
> **********************************
> on Radius server:
> [root@radius ~]# yum install freeradius freeradius-utils
> freeradius-mysql freeradius-perl freeradius-ldap
>
> [root@radius raddb]# vi clients.conf
>
> client ipa {
> ipaddr = 192.168.0.0/24
> proto = *
> secret = xxxxxx
> require_message_authenticator = no
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
>
> client localhost_ipv6 {
> ipv6addr = ::1
> secret = xxxxxx
> }
>
> [root@radius raddb]# vi users| egrep -v "#"
>
> user-test Cleartext-Password := "testpass"
> Reply-Message := "Hello, %{User-Name}"
>
> DEFAULT Framed-Protocol == PPP
> Framed-Protocol = PPP,
> Framed-Compression = Van-Jacobson-TCP-IP
>
> DEFAULT Hint == "CSLIP"
> Framed-Protocol = SLIP,
> Framed-Compression = Van-Jacobson-TCP-IP
>
> DEFAULT Hint == "SLIP"
> Framed-Protocol = SLIP
>
>
> [root@radius raddb]# service radiusd restart
>
> [root@radius raddb]# radtest user-test testpass 192.168.0.15 100 xxxxxx
> Sent Access-Request Id 10 from 0.0.0.0:40950 to 192.168.0.15:1812 length
> 76
> User-Name = "user-test"
> User-Password = "testpass"
> NAS-IP-Address = 192.168.0.15
> NAS-Port = 100
> Message-Authenticator = 0x00
> Cleartext-Password = "testpass"
> Received Access-Accept Id 10 from 192.168.0.15:1812 to 192.168.0.15:40950
> length 35
> Reply-Message = "Hello, user-tets"
> ****************************************
>
> on ipa server:
>
> yum install freeradius freeradius-utils
> to check with
> [root@ipa]# radtest user-test testpass 192.168.0.15 100 xxxxxx
> Sent Access-Request Id 10 from 0.0.0.0:40950 to 192.168.0.15:1812 length
> 76
> User-Name = "user-test"
> User-Password = "testpass"
> NAS-IP-Address = 192.168.0.15
> NAS-Port = 100
> Message-Authenticator = 0x00
> Cleartext-Password = "testpass"
> Received Access-Accept Id 10 from 192.168.0.15:1812 to 192.168.0.15:48259
> length 35
> Reply-Message = "Hello, user-tets"
>
> ipa radiusproxy-add radius-server --server=radius.xxxx.yyy:1812
> ipa radiusproxy-mod radius-server --secret xxxxxx
>
> ipa user-mod --radius=radius-server --radius-username=user-test user-ipa
>
> Which authentication types are allowed for the user?
# ipa user-show user-ipa
# ipa config-show
> Form a client:
> ssh server.my.domain -l user-ipa
> First Factor: (password from ipa)
> Second Factor: (password from radius)
> First Factor: (password from radius)
> Second Factor: (blank)
> ipa-user(a)server.my.domain 's password:
> Permission denied, please try again.
> ipa-user(a)server.my.domain's password:
> Received disconnect from x.x.x.x port 22:2: Too many authentication
> failures
> Disconnected from x.x.x.x port 22
>
> For me it's working if I set the authentication types to radius only, and
provide the radius password as First Factor, and a blank value as second
factor.
If the authentication types contain both radius and password, it looks
like the request doesn't reach the radius server.
flo
> No log collected for this session on
>
> /var/log/radius/radius.log
>
> What else have I to enable?
>
> Thanks and sorry for the delay
>
> _______________________________________________
> FreeIPA-devel mailing list -- freeipa-devel(a)lists.fedorahosted.org
> To unsubscribe send an email to
> freeipa-devel-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedoraho...
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
490
days inactive
524
days old
freeipa-devel@lists.fedorahosted.org
8 comments
4 participants
participants (4)
-
Alexander Bokovoy -
Florence Blanc-Renaud -
Giuseppe Calo -
Rob Crittenden