Hi all, I installed simple freeradius (not enabled particular module),I configured radisu client, one simple user (only password) and added RADIUS-proxy in FreeIPA, but my RADIUS-server do not get requests from remote client. But test-util "radtest" from this server work fine.
What am I doing wrong? Can somebody explain better the utility ipa radius proxy? Thanks
Giuseppe Calo via FreeIPA-devel wrote:
Hi all, I installed simple freeradius (not enabled particular module),I configured radisu client, one simple user (only password) and added RADIUS-proxy in FreeIPA, but my RADIUS-server do not get requests from remote client. But test-util "radtest" from this server work fine.
What am I doing wrong? Can somebody explain better the utility ipa radius proxy?
We need more information on what you've already done.
rob
Hi Rob.
I have installed and confgured freeradius, then I configured a radius client and one user radius. I checked for selinux and firewall, all it is ok. Rddtest works well on radius client. Radius client is freeipa server. On freeipa server I add radius server specifing its fqdn and secret then I configured a user with authentication metod radius, specifing the just added proxy server. If i try to ssh login on ipa client with new user, prompt ask me first and second factor. As first I insert user ipa password and as second, the user radius password (the username on radius and ipa is the same). Please note that on radius I didn't enable any module(pam, ldap). What I'm wro g? Thanks
Il mer 16 nov 2022, 15:51 Rob Crittenden rcritten@redhat.com ha scritto:
Giuseppe Calo via FreeIPA-devel wrote:
Hi all, I installed simple freeradius (not enabled particular module),I
configured radisu client, one simple user (only password) and added RADIUS-proxy in FreeIPA, but my RADIUS-server do not get requests from remote client. But test-util "radtest"
from this server work fine.
What am I doing wrong? Can somebody explain better the utility ipa radius proxy?
We need more information on what you've already done.
rob
Giuseppe Calo wrote:
Hi Rob.
I have installed and confgured freeradius, then I configured a radius client and one user radius. I checked for selinux and firewall, all it is ok. Rddtest works well on radius client. Radius client is freeipa server. On freeipa server I add radius server specifing its fqdn and secret then I configured a user with authentication metod radius, specifing the just added proxy server. If i try to ssh login on ipa client with new user, prompt ask me first and second factor. As first I insert user ipa password and as second, the user radius password (the username on radius and ipa is the same). Please note that on radius I didn't enable any module(pam, ldap). What I'm wro g? Thanks
I'd check the journal for ipa-otpd logging. That may provide some clues.
rob
Il mer 16 nov 2022, 15:51 Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> ha scritto:
Giuseppe Calo via FreeIPA-devel wrote: > Hi all, I installed simple freeradius (not enabled particular module),I configured radisu client, one simple user (only password) and added RADIUS-proxy in FreeIPA, but my RADIUS-server do not get requests from remote client. But test-util "radtest" > from this server work fine. > > What am I doing wrong? > Can somebody explain better the utility ipa radius proxy? We need more information on what you've already done. rob
It seem I don't have these logs:
[root@master ~]# systemctl list-units | grep ipa ipa-custodia.service loaded active running IPA Custodia Service ipa-dnskeysyncd.service loaded active running IPA key daemon ipa.service loaded active exited Identity, Policy, Audit ipa-otpd.socket loaded active listening ipa-otpd socket ipa-ccache-sweep.timer loaded active elapsed Remove Expired Kerberos Credential Caches [root@master ~]# systemctl status ipa-otpd.socket ● ipa-otpd.socket - ipa-otpd socket Loaded: loaded (/usr/lib/systemd/system/ipa-otpd.socket; disabled; vendor preset: disabled) Active: active (listening) since Wed 2022-11-16 17:32:04 CET; 4h 4min ago Until: Wed 2022-11-16 17:32:04 CET; 4h 4min ago Listen: /run/krb5kdc/DEFAULT.socket (Stream) Accepted: 0; Connected: 0; CGroup: /system.slice/ipa-otpd.socket
Nov 16 17:32:04 master.idm.cmcc.scc systemd[1]: Listening on ipa-otpd socket. [root@master ~]# journalctl -xeu ipa-otpd ~ ~
Where can I check?
In any case, is it right to insert as first factor the password of user defined in ipa and as second factor the password defined in radius?
Looking radius logs, it seems it didn't receive communication from ipa server (client radius).
Thanks
Il giorno mer 16 nov 2022 alle ore 19:29 Rob Crittenden rcritten@redhat.com ha scritto:
Giuseppe Calo wrote:
Hi Rob.
I have installed and confgured freeradius, then I configured a radius client and one user radius. I checked for selinux and firewall, all it is ok. Rddtest works well on radius client. Radius client is freeipa server. On freeipa server I add radius server specifing its fqdn and secret then I configured a user with authentication metod radius, specifing the just added proxy server. If i try to ssh login on ipa client with new user, prompt ask me first and second factor. As first I insert user ipa password and as second, the user radius password (the username on radius and ipa is the same). Please note that on radius I didn't enable any module(pam, ldap). What I'm wro g? Thanks
I'd check the journal for ipa-otpd logging. That may provide some clues.
rob
Il mer 16 nov 2022, 15:51 Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> ha scritto:
Giuseppe Calo via FreeIPA-devel wrote: > Hi all, I installed simple freeradius (not enabled particular module),I configured radisu client, one simple user (only password) and added RADIUS-proxy in FreeIPA, but my RADIUS-server do not get requests from remote client. But test-util "radtest" > from this server work fine. > > What am I doing wrong? > Can somebody explain better the utility ipa radius proxy? We need more information on what you've already done. rob
On ke, 16 marras 2022, Giuseppe Calo via FreeIPA-devel wrote:
It seem I don't have these logs:
[root@master ~]# systemctl list-units | grep ipa ipa-custodia.service loaded active running IPA Custodia Service ipa-dnskeysyncd.service loaded active running IPA key daemon ipa.service loaded active exited Identity, Policy, Audit ipa-otpd.socket loaded active listening ipa-otpd socket ipa-ccache-sweep.timer loaded active elapsed Remove Expired Kerberos Credential Caches [root@master ~]# systemctl status ipa-otpd.socket ● ipa-otpd.socket - ipa-otpd socket Loaded: loaded (/usr/lib/systemd/system/ipa-otpd.socket; disabled; vendor preset: disabled) Active: active (listening) since Wed 2022-11-16 17:32:04 CET; 4h 4min ago Until: Wed 2022-11-16 17:32:04 CET; 4h 4min ago Listen: /run/krb5kdc/DEFAULT.socket (Stream) Accepted: 0; Connected: 0; CGroup: /system.slice/ipa-otpd.socket
Nov 16 17:32:04 master.idm.cmcc.scc systemd[1]: Listening on ipa-otpd socket. [root@master ~]# journalctl -xeu ipa-otpd ~ ~
Where can I check?
In any case, is it right to insert as first factor the password of user defined in ipa and as second factor the password defined in radius?
That is certainly not supported. When RADIUS proxy is used for user's authentication, both factors passed unchanged to the RADIUS server and the result of authentication by the RADIUS server is expected to define whether user is authenticated or not.
This also only works over Kerberos. Please see detailed flow described in https://freeipa.readthedocs.io/en/latest/designs/ldap_pam_passthrough.html where LDAP passthrough is not implemented (that's a design page, not documentation for existing feature) but the current flow is discussed.
Looks like your setup is incomplete. In order to help, we need to see exact steps that you have done to configure and test the setup and output you have received. Please provide the exact output, not paraphrase.
Thanks Alexander, these are the steps I applied --> ********************************** on Radius server: [root@radius ~]# yum install freeradius freeradius-utils freeradius-mysql freeradius-perl freeradius-ldap
[root@radius raddb]# vi clients.conf
client ipa { ipaddr = 192.168.0.0/24 proto = * secret = xxxxxx require_message_authenticator = no limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } }
client localhost_ipv6 { ipv6addr = ::1 secret = xxxxxx }
[root@radius raddb]# vi users| egrep -v "#"
user-test Cleartext-Password := "testpass" Reply-Message := "Hello, %{User-Name}"
DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "SLIP" Framed-Protocol = SLIP
[root@radius raddb]# service radiusd restart
[root@radius raddb]# radtest user-test testpass 192.168.0.15 100 xxxxxx Sent Access-Request Id 10 from 0.0.0.0:40950 to 192.168.0.15:1812 length 76 User-Name = "user-test" User-Password = "testpass" NAS-IP-Address = 192.168.0.15 NAS-Port = 100 Message-Authenticator = 0x00 Cleartext-Password = "testpass" Received Access-Accept Id 10 from 192.168.0.15:1812 to 192.168.0.15:40950 length 35 Reply-Message = "Hello, user-tets" ****************************************
on ipa server:
yum install freeradius freeradius-utils to check with [root@ipa]# radtest user-test testpass 192.168.0.15 100 xxxxxx Sent Access-Request Id 10 from 0.0.0.0:40950 to 192.168.0.15:1812 length 76 User-Name = "user-test" User-Password = "testpass" NAS-IP-Address = 192.168.0.15 NAS-Port = 100 Message-Authenticator = 0x00 Cleartext-Password = "testpass" Received Access-Accept Id 10 from 192.168.0.15:1812 to 192.168.0.15:48259 length 35 Reply-Message = "Hello, user-tets"
ipa radiusproxy-add radius-server --server=radius.xxxx.yyy:1812 ipa radiusproxy-mod radius-server --secret xxxxxx
ipa user-mod --radius=radius-server --radius-username=user-test user-ipa
Form a client: ssh server.my.domain -l user-ipa First Factor: (password from ipa) Second Factor: (password from radius) First Factor: (password from radius) Second Factor: (blank) ipa-user@server.my.domain 's password: Permission denied, please try again. ipa-user@server.my.domain's password: Received disconnect from x.x.x.x port 22:2: Too many authentication failures Disconnected from x.x.x.x port 22
No log collected for this session on
/var/log/radius/radius.log
What else have I to enable?
Thanks and sorry for the delay
Hi,
On Tue, Nov 22, 2022 at 3:34 PM Giuseppe Calo via FreeIPA-devel < freeipa-devel@lists.fedorahosted.org> wrote:
Thanks Alexander, these are the steps I applied -->
on Radius server: [root@radius ~]# yum install freeradius freeradius-utils freeradius-mysql freeradius-perl freeradius-ldap
[root@radius raddb]# vi clients.conf
client ipa { ipaddr = 192.168.0.0/24 proto = * secret = xxxxxx require_message_authenticator = no limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } }
client localhost_ipv6 { ipv6addr = ::1 secret = xxxxxx }
[root@radius raddb]# vi users| egrep -v "#"
user-test Cleartext-Password := "testpass" Reply-Message := "Hello, %{User-Name}"
DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "SLIP" Framed-Protocol = SLIP
[root@radius raddb]# service radiusd restart
[root@radius raddb]# radtest user-test testpass 192.168.0.15 100 xxxxxx Sent Access-Request Id 10 from 0.0.0.0:40950 to 192.168.0.15:1812 length 76 User-Name = "user-test" User-Password = "testpass" NAS-IP-Address = 192.168.0.15 NAS-Port = 100 Message-Authenticator = 0x00 Cleartext-Password = "testpass" Received Access-Accept Id 10 from 192.168.0.15:1812 to 192.168.0.15:40950 length 35 Reply-Message = "Hello, user-tets"
on ipa server:
yum install freeradius freeradius-utils to check with [root@ipa]# radtest user-test testpass 192.168.0.15 100 xxxxxx Sent Access-Request Id 10 from 0.0.0.0:40950 to 192.168.0.15:1812 length 76 User-Name = "user-test" User-Password = "testpass" NAS-IP-Address = 192.168.0.15 NAS-Port = 100 Message-Authenticator = 0x00 Cleartext-Password = "testpass" Received Access-Accept Id 10 from 192.168.0.15:1812 to 192.168.0.15:48259 length 35 Reply-Message = "Hello, user-tets"
ipa radiusproxy-add radius-server --server=radius.xxxx.yyy:1812 ipa radiusproxy-mod radius-server --secret xxxxxx
ipa user-mod --radius=radius-server --radius-username=user-test user-ipa
Which authentication types are allowed for the user?
# ipa user-show user-ipa # ipa config-show
Form a client: ssh server.my.domain -l user-ipa First Factor: (password from ipa) Second Factor: (password from radius) First Factor: (password from radius) Second Factor: (blank) ipa-user@server.my.domain 's password: Permission denied, please try again. ipa-user@server.my.domain's password: Received disconnect from x.x.x.x port 22:2: Too many authentication failures Disconnected from x.x.x.x port 22
For me it's working if I set the authentication types to radius only, and
provide the radius password as First Factor, and a blank value as second factor. If the authentication types contain both radius and password, it looks like the request doesn't reach the radius server.
flo
No log collected for this session on
/var/log/radius/radius.log
What else have I to enable?
Thanks and sorry for the delay
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Thanks Flo, I'll try as soon as possible and I ll let you know.
Regards, Giuseppe.
Il mar 20 dic 2022, 11:22 Florence Blanc-Renaud flo@redhat.com ha scritto:
Hi,
On Tue, Nov 22, 2022 at 3:34 PM Giuseppe Calo via FreeIPA-devel < freeipa-devel@lists.fedorahosted.org> wrote:
Thanks Alexander, these are the steps I applied -->
on Radius server: [root@radius ~]# yum install freeradius freeradius-utils freeradius-mysql freeradius-perl freeradius-ldap
[root@radius raddb]# vi clients.conf
client ipa { ipaddr = 192.168.0.0/24 proto = * secret = xxxxxx require_message_authenticator = no limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } }
client localhost_ipv6 { ipv6addr = ::1 secret = xxxxxx }
[root@radius raddb]# vi users| egrep -v "#"
user-test Cleartext-Password := "testpass" Reply-Message := "Hello, %{User-Name}"
DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "SLIP" Framed-Protocol = SLIP
[root@radius raddb]# service radiusd restart
[root@radius raddb]# radtest user-test testpass 192.168.0.15 100 xxxxxx Sent Access-Request Id 10 from 0.0.0.0:40950 to 192.168.0.15:1812 length 76 User-Name = "user-test" User-Password = "testpass" NAS-IP-Address = 192.168.0.15 NAS-Port = 100 Message-Authenticator = 0x00 Cleartext-Password = "testpass" Received Access-Accept Id 10 from 192.168.0.15:1812 to 192.168.0.15:40950 length 35 Reply-Message = "Hello, user-tets"
on ipa server:
yum install freeradius freeradius-utils to check with [root@ipa]# radtest user-test testpass 192.168.0.15 100 xxxxxx Sent Access-Request Id 10 from 0.0.0.0:40950 to 192.168.0.15:1812 length 76 User-Name = "user-test" User-Password = "testpass" NAS-IP-Address = 192.168.0.15 NAS-Port = 100 Message-Authenticator = 0x00 Cleartext-Password = "testpass" Received Access-Accept Id 10 from 192.168.0.15:1812 to 192.168.0.15:48259 length 35 Reply-Message = "Hello, user-tets"
ipa radiusproxy-add radius-server --server=radius.xxxx.yyy:1812 ipa radiusproxy-mod radius-server --secret xxxxxx
ipa user-mod --radius=radius-server --radius-username=user-test user-ipa
Which authentication types are allowed for the user?
# ipa user-show user-ipa # ipa config-show
Form a client: ssh server.my.domain -l user-ipa First Factor: (password from ipa) Second Factor: (password from radius) First Factor: (password from radius) Second Factor: (blank) ipa-user@server.my.domain 's password: Permission denied, please try again. ipa-user@server.my.domain's password: Received disconnect from x.x.x.x port 22:2: Too many authentication failures Disconnected from x.x.x.x port 22
For me it's working if I set the authentication types to radius only, and
provide the radius password as First Factor, and a blank value as second factor. If the authentication types contain both radius and password, it looks like the request doesn't reach the radius server.
flo
No log collected for this session on
/var/log/radius/radius.log
What else have I to enable?
Thanks and sorry for the delay
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
freeipa-devel@lists.fedorahosted.org
-
Alexander Bokovoy -
Florence Blanc-Renaud -
Giuseppe Calo -
Rob Crittenden