It’s not entirely clear to me what the configuration is. You say “second
factor.” If you’re using 2FA, things that normally work no longer do.
If you’re putting Freeradius in front of IPA, neither of the ways Freeradius
would talk to IPA works with 2FA. LDAP doesn’t work, because the IPA LDAP
server doesn’t know about 2FA except the builtin FreeOTP support. The
Freeradius Kerberos support won’t work for any 2FA, even FreeOTP, because their
Kerberos code doesn’t use the API’s necessary to support 2FA.
in https://github.com/clhedrick/kerberos, you’ll find radius-wrap, which can be
used with Freeradius’ Kerberos module to make it work with 2FA. The code works,
but if someone is gong to use it in production I’d do something to make it more
convenient to use. I’ve chosen to use LD_PRELOAD to wrap the existing code,
rather than supplying a fixed version of the Kerberos module, because I thought
it might make updating to new versions easier.
In the same place you’ll find ldap-proxy. This is instructions to set up
Openldap in front of IPA’s LDAP. It does Kerberos authentication with 2FA
support, and thus can handle all types of authentication that IPA can handle. I
supply an overlay (i.e. a plugin) for Openldap to do Kerberos authentication
with proper 2FA support.
Jakub: I’d really, really, like to see LDAP in Freeipa support 2FA. Having to
put a proxy in front of IPA just to handle IPA’s authentication seems silly,
and an unnecessary piece of software to support (particularly since RHEL 8 is
apparently gong to drop support for openlap).
On Aug 24, 2017, at 2:53 PM, Jakub Hrozek via FreeIPA-users
On Thu, Aug 24, 2017 at 10:29:35AM -0400, Steve Weeks via FreeIPA-users wrote:
We are running FreeIPA 4.4 on Centos 7 and trying to use radius
Using radtest and radclient work fine and we can authenticate a user.
The radius proxy and secret are set to match the values from radclient.
The user has the radius check box checked and the other two fields set to
appropriate values. hbactest shows that the user has permission for any
When I do " su -l rsa-user", I'm requested for the first and second
factors. After I enter them, I get "su: Authentication failure". Using a
non-radius user works fine.
The sssd_pam log has
[sssd[pam]] [pam_dp_process_reply] (0x0200): received: [17 (Failure setting
[sssd[pam]] [pam_reply] (0x0200): pam_reply called with result :
Failure setting user credentials.
Unchecking the radius checkbox and the account works fine.
Any ideas what to try or look at next?
I've never set up this configuration but I would look at the domain log
and krb5_child.log next.
FreeIPA-users mailing list --
To unsubscribe send an email to
FreeIPA-users mailing list -- email@example.com
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org