Hi all!
I keep trying to tune my FreeIPA server with FreeRADIUS.
I deployed the FreeRADIUS for control authentication on VPN-server and I want use FreeIPA as RADIUS proxy (I want control from FreeIPA which users can use VPN). FreeRADIUS and FreeIPA run on one server. I add RADIUS-proxy in FreeIPA, but my RADIUS-server do not get requests from remote client. But test-util "radtest" from this server work fine.
What am I doing wrong? Thanks for reply.
[root@ipa ~]# ipa radiusproxy-find ----------------------------- 1 RADIUS proxy server matched ----------------------------- RADIUS proxy server name: radius Server: localhost.localdomain ---------------------------- Number of entries returned 1 ----------------------------
Hello,
If I understood correctly, what you want to do is to set up your FreeRADIUS server so it consumes identity information from FreeIPA. That is not the purpose of the radiusproxy functionality, which implements the reverse flow: clients contacting FreeIPA would be proxied to a RADIUS server for authentication. See [1] for a detailed explanation of a common use case for radiusproxy.
In your case, you need to configure FreeRADIUS so it connects to FreeIPA using LDAP. The authentication mechanism to do this could be username/password, or you could set up SASL GSSAPI, depending on your requirements. You may find this gist [2] useful.
Authentication may not be enough, though, and you may need to leverage other information (group membership, I would assume) in order to authorise users for VPN usage.This is done on the FreeRADIUS side.
[1]: https://www.freeipa.org/page/V4/OTP/Detail [2]: https://gist.github.com/tiran/770b41cdff10d9f95e9623f468ebccec
On Thu, Jul 2, 2020 at 3:58 AM Max Muller via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hi all!
I keep trying to tune my FreeIPA server with FreeRADIUS.
I deployed the FreeRADIUS for control authentication on VPN-server and I want use FreeIPA as RADIUS proxy (I want control from FreeIPA which users can use VPN). FreeRADIUS and FreeIPA run on one server. I add RADIUS-proxy in FreeIPA, but my RADIUS-server do not get requests from remote client. But test-util "radtest" from this server work fine.
What am I doing wrong? Thanks for reply.
[root@ipa ~]# ipa radiusproxy-find
1 RADIUS proxy server matched
RADIUS proxy server name: radius Server: localhost.localdomain
Number of entries returned 1
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Thanks for reply.
I carefully read the documentation and realized that this function is for other tasks. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
And now I have another problem. I have L2TP/IPSec server on my Mikrotik router. I want use LDAP credentials (login + pass from FreeIPA) + FreeIPA OTP to authenticate on my L2TP/IPSec server (on Mikrotik router). I deploy FreeRADIUS and it connect to LDAP (FreeIPA), find user+pass and permit login in VPN. But Mikrotik's radius client use only MS-CHAPv2 and I must add NT Hash for each LDAP-user. And with NT hash I can not use FreeIPA OTP (NT hash static generated from password only).
Is there way to use FreeIPA LDAP with OTP + FreeRADIUS for authenticate on VPN server witch use MS-CHAPv2? So I want use LDAP credentials for local login to system and LDAP credentials + FreeIPA OTP for login to VPN.
I really want use FreeIPA OTP, because FreeIPA provides a personal area for each user. User can change own pass, add OTP by himself, etc.
I hope that I can be understood. :-)
You might find authentication indicators [1][2] useful in the use case you are describing.
[1]: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm... [2]: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
On Fri, Jul 3, 2020 at 10:04 PM Max Muller via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Thanks for reply.
I carefully read the documentation and realized that this function is for other tasks.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
And now I have another problem. I have L2TP/IPSec server on my Mikrotik router. I want use LDAP credentials (login + pass from FreeIPA) + FreeIPA OTP to authenticate on my L2TP/IPSec server (on Mikrotik router). I deploy FreeRADIUS and it connect to LDAP (FreeIPA), find user+pass and permit login in VPN. But Mikrotik's radius client use only MS-CHAPv2 and I must add NT Hash for each LDAP-user. And with NT hash I can not use FreeIPA OTP (NT hash static generated from password only).
Is there way to use FreeIPA LDAP with OTP + FreeRADIUS for authenticate on VPN server witch use MS-CHAPv2? So I want use LDAP credentials for local login to system and LDAP credentials + FreeIPA OTP for login to VPN.
I really want use FreeIPA OTP, because FreeIPA provides a personal area for each user. User can change own pass, add OTP by himself, etc.
I hope that I can be understood. :-) _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org