Institutionally we have a hardware token set up, you use a pin to unlock the
device and it spits out a passcode.
The passcode allows access through kerberos, radius, or ldap binds to linux
servers, or with a custom apache module to websites.
I have an out-of-band private network set up that attaches to our intranet
using a firewall/gateway server which does some port forwarding for various
things like SSH, RDP.
I’m attempting to set up RADIUS on this firewall/gateway to be used as a proxy
for freeipa to our token system which I’d like to be able to use behind the
However I seem to be getting nearly a dozen requests into the radius server,
about half are dropped as duplicate, but usually 3-6 get through and since it’s
a single use token the first attempt succeeds, but the rest fail and cause the
hardware token to be blacklisted.
Is there a way to specify that the user radius login is a one-time token or is
this something that sssd or pam is causing?
Or does the OTP support just not work in the way I need it to?
I have this issue with both the inbox 4.1.0 in RHEL7.1 or the upstream 4.1.4
My only alternative is probably to set up a KDC on the firewall to trust the
institutional realm and have the IdM kerberos realm trust that.
This is also a mixed linux/windows environment behind the firewall, I’ve
enabled unix attributes in my AD and I’m using a script to sync uid/gid with
the external ldap.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project