Daniel,

There is nice how-to here
https://firstyear.id.au/blog/html/2016/01/13/FreeRADIUS:_Using_mschapv2_with_freeipa.html


--eZ



On Wed, Feb 12, 2020, 20:03 White, Daniel E. (GSFC-770.0)[NICS] via
FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:

> My use case is RADIUS for network device auth, with IPA doing the
> underlying authentication.
>
> The group information is all the LDAP groups a user belongs to.  This is
> for access control.
>
> Our current setup uses an ancient version of RADIUS that runs on an old
> Solaris 9 Sparc server.  It uses the users and groups on that server to
> control access.
>
>
> *______________________________________________________________________________________________*
>
>
>
> *Daniel E. White*
> *daniel.e.wh...@nasa.gov <daniel.e.wh...@nasa.gov>*
>
>
>
>
>
> *NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road
> Building 14, Room E175 Greenbelt, MD 20771*
>
> *Office: (301) 286-6919*
>
> *Mobile: (240) 513-5290*
>
>
>
> *From: *Alex Scheel <asch...@redhat.com>
> *Date: *Wednesday, February 12, 2020 at 13:38
> *To: *FreeIPA users list <freeipa-users@lists.fedorahosted.org>
> *Cc: *Daniel White <daniel.e.wh...@nasa.gov>
> *Subject: *[EXTERNAL] Re: [Freeipa-users] FreeIPA and FreeRadius (or any
> RADIUS)
>
>
>
> Hi Daniel,
>
>
>
> I'm afraid I don't understand what you're trying to accomplish.
>
>
>
> There's two primary use cases for RADIUS:
>
>
>
> - RADIUS for wireless auth, with IPA doing the underlying authentication
>
> - RADIUS as a backend for OTP, with IPA passing OTP queries to RADIUS to
>
>    validate
>
>
>
> I'm going to guess by your request that you want the former, not the
> latter.
>
>
>
> What you're looking for is probably most easily accomplished via an LDAP
>
> interface for FreeRADIUS. I think the following might help you:
>
>
>
> - https://wiki.freeradius.org/modules/Rlm_ldap
>
>
>
> -
> http://lists.freeradius.org/pipermail/freeradius-users/2018-April/091159.html
>
>
>
> I'm not sure what group information you'd need in this scenario, though.
>
>
>
>
>
> If you're trying to use RADIUS to do authenticate on systems, we don't
>
> support pam_radius (and the authenticating system doesn't get group
>
> information in that setup).
>
>
>
> Would sssd be a better fit in this case?
>
>
>
>
>
> Thanks,
>
>
>
> - Alex
>
>
>
> ----- Original Message -----
>
> From: "Daniel E. White (GSFC-770.0)[NICS] via FreeIPA-users" <
> freeipa-users@lists.fedorahosted.org>
>
> To: "FreeIPA users list" <freeipa-users@lists.fedorahosted.org>
>
> Cc: "Daniel E. White (GSFC-770.0)[NICS]" <daniel.e.wh...@nasa.gov>
>
> Sent: Wednesday, February 12, 2020 8:54:31 AM
>
> Subject: [Freeipa-users] FreeIPA and FreeRadius (or any RADIUS)
>
> Reference:
>
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.freeipa.org_page_Using-5FFreeIPA-5Fand-5FFreeRadius-5Fas-5Fa-5FRADIUS-5Fbased-5Fsoftware-5Ftoken-5FOTP-5Fsystem-5Fwith-5FCentOS_RedHat-5F7&d=DwICaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=ef_FKlWa7jWGmQqTrjkcoDY1VuVtcI_10ClISjA3_V8&m=Zv18qJEsJdA0-rTvhk7KGER54Nbj5PvUpkhG972d7Eg&s=DL7kkmJr_YPGHUDd7C98avLEo5MftauoY_rs7FLEv7U&e=
>
> What about setting it up so that RADIUS gets credentials and groups from
>
> FreeIPA without the OTP ?
>
>
> ______________________________________________________________________________________________
>
> Daniel E. White
>
> daniel.e.wh...@nasa.gov<mailto:daniel.e.wh...@nasa.gov
> <daniel.e.wh...@nasa.gov>>
>
> NICS Linux Engineer
>
> NASA Goddard Space Flight Center
>
> 8800 Greenbelt Road
>
> Building 14, Room E175
>
> Greenbelt, MD 20771
>
> Office: (301) 286-6919
>
> Mobile: (240) 513-5290
>
> _______________________________________________
>
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>
> Fedora Code of Conduct:
>
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.org_en-2DUS_project_code-2Dof-2Dconduct_&d=DwICaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=ef_FKlWa7jWGmQqTrjkcoDY1VuVtcI_10ClISjA3_V8&m=Zv18qJEsJdA0-rTvhk7KGER54Nbj5PvUpkhG972d7Eg&s=ObQjZAozegq76dn-3bRKzfZZJlGNlJboMt7jq9yfkOg&e=
>
> List Guidelines:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wiki_Mailing-5Flist-5Fguidelines&d=DwICaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=ef_FKlWa7jWGmQqTrjkcoDY1VuVtcI_10ClISjA3_V8&m=Zv18qJEsJdA0-rTvhk7KGER54Nbj5PvUpkhG972d7Eg&s=icoYxkNKtZLQukECmYuY-8EvRmB1QwYagUq8NC5WCWc&e=
>
> List Archives:
>
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.org_archives_list_freeipa-2Dusers-40lists.fedorahosted.org&d=DwICaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=ef_FKlWa7jWGmQqTrjkcoDY1VuVtcI_10ClISjA3_V8&m=Zv18qJEsJdA0-rTvhk7KGER54Nbj5PvUpkhG972d7Eg&s=9osDDUoPdZ6iuCCpMmjTwKFdKAAs2JSoJAG8IpDm284&e=
>
>
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Reply via email to