Thanks Flo,
I'll try as soon as possible and I ll let you know.
Regards,
Giuseppe.
Il mar 20 dic 2022, 11:22 Florence Blanc-Renaud <f...@redhat.com> ha scritto:
> Hi,
>
> On Tue, Nov 22, 2022 at 3:34 PM Giuseppe Calo via FreeIPA-devel <
> freeipa-devel@lists.fedorahosted.org> wrote:
>
>> Thanks Alexander,
>> these are the steps I applied -->
>> **********************************
>> on Radius server:
>> [root@radius ~]# yum install freeradius freeradius-utils
>> freeradius-mysql freeradius-perl freeradius-ldap
>>
>> [root@radius raddb]# vi clients.conf
>>
>> client ipa {
>> ipaddr = 192.168.0.0/24
>> proto = *
>> secret = xxxxxx
>> require_message_authenticator = no
>> limit {
>> max_connections = 16
>> lifetime = 0
>> idle_timeout = 30
>> }
>> }
>>
>> client localhost_ipv6 {
>> ipv6addr = ::1
>> secret = xxxxxx
>> }
>>
>> [root@radius raddb]# vi users| egrep -v "#"
>>
>> user-test Cleartext-Password := "testpass"
>> Reply-Message := "Hello, %{User-Name}"
>>
>> DEFAULT Framed-Protocol == PPP
>> Framed-Protocol = PPP,
>> Framed-Compression = Van-Jacobson-TCP-IP
>>
>> DEFAULT Hint == "CSLIP"
>> Framed-Protocol = SLIP,
>> Framed-Compression = Van-Jacobson-TCP-IP
>>
>> DEFAULT Hint == "SLIP"
>> Framed-Protocol = SLIP
>>
>>
>> [root@radius raddb]# service radiusd restart
>>
>> [root@radius raddb]# radtest user-test testpass 192.168.0.15 100 xxxxxx
>> Sent Access-Request Id 10 from 0.0.0.0:40950 to 192.168.0.15:1812 length
>> 76
>> User-Name = "user-test"
>> User-Password = "testpass"
>> NAS-IP-Address = 192.168.0.15
>> NAS-Port = 100
>> Message-Authenticator = 0x00
>> Cleartext-Password = "testpass"
>> Received Access-Accept Id 10 from 192.168.0.15:1812 to 192.168.0.15:40950
>> length 35
>> Reply-Message = "Hello, user-tets"
>> ****************************************
>>
>> on ipa server:
>>
>> yum install freeradius freeradius-utils
>> to check with
>> [root@ipa]# radtest user-test testpass 192.168.0.15 100 xxxxxx
>> Sent Access-Request Id 10 from 0.0.0.0:40950 to 192.168.0.15:1812 length
>> 76
>> User-Name = "user-test"
>> User-Password = "testpass"
>> NAS-IP-Address = 192.168.0.15
>> NAS-Port = 100
>> Message-Authenticator = 0x00
>> Cleartext-Password = "testpass"
>> Received Access-Accept Id 10 from 192.168.0.15:1812 to 192.168.0.15:48259
>> length 35
>> Reply-Message = "Hello, user-tets"
>>
>> ipa radiusproxy-add radius-server --server=radius.xxxx.yyy:1812
>> ipa radiusproxy-mod radius-server --secret xxxxxx
>>
>> ipa user-mod --radius=radius-server --radius-username=user-test user-ipa
>>
>> Which authentication types are allowed for the user?
> # ipa user-show user-ipa
> # ipa config-show
>
>
>> Form a client:
>> ssh server.my.domain -l user-ipa
>> First Factor: (password from ipa)
>> Second Factor: (password from radius)
>> First Factor: (password from radius)
>> Second Factor: (blank)
>> ipa-u...@server.my.domain 's password:
>> Permission denied, please try again.
>> ipa-u...@server.my.domain's password:
>> Received disconnect from x.x.x.x port 22:2: Too many authentication
>> failures
>> Disconnected from x.x.x.x port 22
>>
>> For me it's working if I set the authentication types to radius only, and
> provide the radius password as First Factor, and a blank value as second
> factor.
> If the authentication types contain both radius and password, it looks
> like the request doesn't reach the radius server.
>
> flo
>
>> No log collected for this session on
>>
>> /var/log/radius/radius.log
>>
>> What else have I to enable?
>>
>> Thanks and sorry for the delay
>>
>> _______________________________________________
>> FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
>> To unsubscribe send an email to
>> freeipa-devel-le...@lists.fedorahosted.org
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
>> Do not reply to spam, report it:
>> https://pagure.io/fedora-infrastructure/new_issue
>>
>
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
