Institutionally we have a hardware token set up, you use a pin to unlock the 
device and it spits out a passcode.
The passcode allows access through kerberos, radius, or ldap binds to linux 
servers, or with a custom apache module to websites.

I have an out-of-band private network set up that attaches to our intranet 
using a firewall/gateway server which does some port forwarding for various 
things like SSH, RDP.
I’m attempting to set up RADIUS on this firewall/gateway to be used as a proxy 
for freeipa to our token system which I’d like to be able to use behind the 
However I seem to be getting nearly a dozen requests into the radius server, 
about half are dropped as duplicate, but usually 3-6 get through and since it’s 
a single use token the first attempt succeeds, but the rest fail and cause the 
hardware token to be blacklisted.
Is there a way to specify that the user radius login is a one-time token or is 
this something that sssd or pam is causing?
Or does the OTP support just not work in the way I need it to?
I have this issue with both the inbox 4.1.0 in RHEL7.1 or the upstream 4.1.4 

My only alternative is probably to set up a KDC on the firewall to trust the 
institutional realm and have the IdM kerberos realm trust that.
This is also a mixed linux/windows environment behind the firewall, I’ve 
enabled unix attributes in my AD and I’m using a script to sync uid/gid with 
the external ldap.

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to