On Пан, 12 лют 2024, Charles Hedrick via FreeIPA-users wrote:
Currently our department uses passwords in IPA, with a few users using OTP. I'm considering using a University radius server for most users. Are there reliability implications? My concern is what happens if the radius server is slow to respond or even is down. I'd like users with accounts in IPA to still work, and I'd hope things would survive conditions of slow response.
There is one potential issue that we fixed recently in MIT Kerberos: https://github.com/krb5/krb5/pull/1318
It is not yet part of any release. If you have RHEL subscription, making it known to RHEL support organization might help to get this fix out faster.
ugh. It doesn't look like we can do this until this patch happens. The actual authentication would use DUO. Since that requires the user to respond, the delay could be significant. 10 sec is definitely not enough.
This looks like a client patch. We're using Ubuntu for our clients. (RHEL for the KDCs.) We have purchased support, but the PO is waiting in Purchasing. So I may be able to help get it into Ubuntu. ________________________________ From: Alexander Bokovoy abokovoy@redhat.com Sent: Monday, February 12, 2024 2:45 PM To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: Charles Hedrick hedrick@rutgers.edu Subject: Re: [Freeipa-users] reliability of external radius
On Пан, 12 лют 2024, Charles Hedrick via FreeIPA-users wrote:
Currently our department uses passwords in IPA, with a few users using OTP. I'm considering using a University radius server for most users. Are there reliability implications? My concern is what happens if the radius server is slow to respond or even is down. I'd like users with accounts in IPA to still work, and I'd hope things would survive conditions of slow response.
There is one potential issue that we fixed recently in MIT Kerberos: https://github.com/krb5/krb5/pull/1318
It is not yet part of any release. If you have RHEL subscription, making it known to RHEL support organization might help to get this fix out faster.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
freeipa-users@lists.fedorahosted.org