Hi,
On Tue, Nov 22, 2022 at 3:34 PM Giuseppe Calo via FreeIPA-devel <
freeipa-devel@lists.fedorahosted.org> wrote:
> Thanks Alexander,
> these are the steps I applied -->
> **********************************
> on Radius server:
> [root@radius ~]# yum install freeradius freeradius-utils freeradius-mysql
> freeradius-perl freeradius-ldap
>
> [root@radius raddb]# vi clients.conf
>
> client ipa {
> ipaddr = 192.168.0.0/24
> proto = *
> secret = xxxxxx
> require_message_authenticator = no
> limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30
> }
> }
>
> client localhost_ipv6 {
> ipv6addr = ::1
> secret = xxxxxx
> }
>
> [root@radius raddb]# vi users| egrep -v "#"
>
> user-test Cleartext-Password := "testpass"
> Reply-Message := "Hello, %{User-Name}"
>
> DEFAULT Framed-Protocol == PPP
> Framed-Protocol = PPP,
> Framed-Compression = Van-Jacobson-TCP-IP
>
> DEFAULT Hint == "CSLIP"
> Framed-Protocol = SLIP,
> Framed-Compression = Van-Jacobson-TCP-IP
>
> DEFAULT Hint == "SLIP"
> Framed-Protocol = SLIP
>
>
> [root@radius raddb]# service radiusd restart
>
> [root@radius raddb]# radtest user-test testpass 192.168.0.15 100 xxxxxx
> Sent Access-Request Id 10 from 0.0.0.0:40950 to 192.168.0.15:1812 length
> 76
> User-Name = "user-test"
> User-Password = "testpass"
> NAS-IP-Address = 192.168.0.15
> NAS-Port = 100
> Message-Authenticator = 0x00
> Cleartext-Password = "testpass"
> Received Access-Accept Id 10 from 192.168.0.15:1812 to 192.168.0.15:40950
> length 35
> Reply-Message = "Hello, user-tets"
> ****************************************
>
> on ipa server:
>
> yum install freeradius freeradius-utils
> to check with
> [root@ipa]# radtest user-test testpass 192.168.0.15 100 xxxxxx
> Sent Access-Request Id 10 from 0.0.0.0:40950 to 192.168.0.15:1812 length
> 76
> User-Name = "user-test"
> User-Password = "testpass"
> NAS-IP-Address = 192.168.0.15
> NAS-Port = 100
> Message-Authenticator = 0x00
> Cleartext-Password = "testpass"
> Received Access-Accept Id 10 from 192.168.0.15:1812 to 192.168.0.15:48259
> length 35
> Reply-Message = "Hello, user-tets"
>
> ipa radiusproxy-add radius-server --server=radius.xxxx.yyy:1812
> ipa radiusproxy-mod radius-server --secret xxxxxx
>
> ipa user-mod --radius=radius-server --radius-username=user-test user-ipa
>
> Which authentication types are allowed for the user?
# ipa user-show user-ipa
# ipa config-show
> Form a client:
> ssh server.my.domain -l user-ipa
> First Factor: (password from ipa)
> Second Factor: (password from radius)
> First Factor: (password from radius)
> Second Factor: (blank)
> ipa-u...@server.my.domain 's password:
> Permission denied, please try again.
> ipa-u...@server.my.domain's password:
> Received disconnect from x.x.x.x port 22:2: Too many authentication
> failures
> Disconnected from x.x.x.x port 22
>
> For me it's working if I set the authentication types to radius only, and
provide the radius password as First Factor, and a blank value as second
factor.
If the authentication types contain both radius and password, it looks like
the request doesn't reach the radius server.
flo
> No log collected for this session on
>
> /var/log/radius/radius.log
>
> What else have I to enable?
>
> Thanks and sorry for the delay
>
> _______________________________________________
> FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
