It’s not entirely clear to me what the configuration is. You say “second 
factor.” If you’re using 2FA, things that normally work no longer do.

If you’re putting Freeradius in front of IPA, neither of the ways Freeradius 
would talk to IPA works with 2FA. LDAP doesn’t work, because the IPA LDAP 
server doesn’t know about 2FA except the builtin FreeOTP support. The 
Freeradius Kerberos support won’t work for any 2FA, even FreeOTP, because their 
Kerberos code doesn’t use the API’s necessary to support 2FA.

in, you’ll find radius-wrap, which can be 
used with Freeradius’ Kerberos module to make it work with 2FA. The code works, 
but if someone is gong to use it in production I’d do something to make it more 
convenient to use. I’ve chosen to use LD_PRELOAD to wrap the existing code, 
rather than supplying a fixed version of the Kerberos module, because I thought 
it might make updating to new versions easier.

In the same place you’ll find ldap-proxy. This is instructions to set up 
Openldap in front of IPA’s LDAP. It does Kerberos authentication with 2FA 
support, and thus can handle all types of authentication that IPA can handle. I 
supply an overlay (i.e. a plugin) for Openldap to do Kerberos authentication 
with proper 2FA support.

Jakub: I’d really, really, like to see LDAP in Freeipa support 2FA. Having to 
put a proxy in front of IPA just to handle IPA’s authentication seems silly, 
and an unnecessary piece of software to support (particularly since RHEL 8 is 
apparently gong to drop support for openlap).

On Aug 24, 2017, at 2:53 PM, Jakub Hrozek via FreeIPA-users 

On Thu, Aug 24, 2017 at 10:29:35AM -0400, Steve Weeks via FreeIPA-users wrote:
We are running FreeIPA 4.4 on Centos 7 and trying to use radius

Using radtest and radclient work fine and we can authenticate a user.

The radius proxy and secret are set to match the values from radclient.
The user has the radius check box checked and the other two fields set to
appropriate values. hbactest shows that the user has permission for any

When I do " su -l rsa-user", I'm requested for the first and second
factors.  After I enter them, I get "su: Authentication failure".  Using a
non-radius user works fine.

The sssd_pam log has

[sssd[pam]] [pam_dp_process_reply] (0x0200): received: [17 (Failure setting
user credentials)][<>]
[sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [17]:
Failure setting user credentials.

Unchecking the radius checkbox and the account works fine.

Any ideas what to try or look at next?

I've never set up this configuration but I would look at the domain log
and krb5_child.log next.
FreeIPA-users mailing list --<>
To unsubscribe send an email to<>

FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to