[Freeipa-users] Re: [EXTERNAL] Re: FreeIPA and FreeRadius (or any RADIUS)

2020-02-12 Thread Ernedin Zajko via FreeIPA-users 
Daniel,

There is nice how-to here
https://firstyear.id.au/blog/html/2016/01/13/FreeRADIUS:_Using_mschapv2_with_freeipa.html


--eZ



On Wed, Feb 12, 2020, 20:03 White, Daniel E. (GSFC-770.0)[NICS] via
FreeIPA-users  wrote:

> My use case is RADIUS for network device auth, with IPA doing the
> underlying authentication.
>
> The group information is all the LDAP groups a user belongs to.  This is
> for access control.
>
> Our current setup uses an ancient version of RADIUS that runs on an old
> Solaris 9 Sparc server.  It uses the users and groups on that server to
> control access.
>
>
> *__*
>
>
>
> *Daniel E. White*
> *daniel.e.wh...@nasa.gov *
>
>
>
>
>
> *NICS Linux Engineer NASA Goddard Space Flight Center 8800 Greenbelt Road
> Building 14, Room E175 Greenbelt, MD 20771*
>
> *Office: (301) 286-6919*
>
> *Mobile: (240) 513-5290*
>
>
>
> *From: *Alex Scheel 
> *Date: *Wednesday, February 12, 2020 at 13:38
> *To: *FreeIPA users list 
> *Cc: *Daniel White 
> *Subject: *[EXTERNAL] Re: [Freeipa-users] FreeIPA and FreeRadius (or any
> RADIUS)
>
>
>
> Hi Daniel,
>
>
>
> I'm afraid I don't understand what you're trying to accomplish.
>
>
>
> There's two primary use cases for RADIUS:
>
>
>
> - RADIUS for wireless auth, with IPA doing the underlying authentication
>
> - RADIUS as a backend for OTP, with IPA passing OTP queries to RADIUS to
>
>validate
>
>
>
> I'm going to guess by your request that you want the former, not the
> latter.
>
>
>
> What you're looking for is probably most easily accomplished via an LDAP
>
> interface for FreeRADIUS. I think the following might help you:
>
>
>
> - https://wiki.freeradius.org/modules/Rlm_ldap
>
>
>
> -
> http://lists.freeradius.org/pipermail/freeradius-users/2018-April/091159.html
>
>
>
> I'm not sure what group information you'd need in this scenario, though.
>
>
>
>
>
> If you're trying to use RADIUS to do authenticate on systems, we don't
>
> support pam_radius (and the authenticating system doesn't get group
>
> information in that setup).
>
>
>
> Would sssd be a better fit in this case?
>
>
>
>
>
> Thanks,
>
>
>
> - Alex
>
>
>
> - Original Message -
>
> From: "Daniel E. White (GSFC-770.0)[NICS] via FreeIPA-users" <
> freeipa-users@lists.fedorahosted.org>
>
> To: "FreeIPA users list" 
>
> Cc: "Daniel E. White (GSFC-770.0)[NICS]" 
>
> Sent: Wednesday, February 12, 2020 8:54:31 AM
>
> Subject: [Freeipa-users] FreeIPA and FreeRadius (or any RADIUS)
>
> Reference:
>
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.freeipa.org_page_Using-5FFreeIPA-5Fand-5FFreeRadius-5Fas-5Fa-5FRADIUS-5Fbased-5Fsoftware-5Ftoken-5FOTP-5Fsystem-5Fwith-5FCentOS_RedHat-5F7&d=DwICaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=ef_FKlWa7jWGmQqTrjkcoDY1VuVtcI_10ClISjA3_V8&m=Zv18qJEsJdA0-rTvhk7KGER54Nbj5PvUpkhG972d7Eg&s=DL7kkmJr_YPGHUDd7C98avLEo5MftauoY_rs7FLEv7U&e=
>
> What about setting it up so that RADIUS gets credentials and groups from
>
> FreeIPA without the OTP ?
>
>
> __
>
> Daniel E. White
>
> daniel.e.wh...@nasa.gov >
>
> NICS Linux Engineer
>
> NASA Goddard Space Flight Center
>
> 8800 Greenbelt Road
>
> Building 14, Room E175
>
> Greenbelt, MD 20771
>
> Office: (301) 286-6919
>
> Mobile: (240) 513-5290
>
> ___
>
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>
> Fedora Code of Conduct:
>
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.org_en-2DUS_project_code-2Dof-2Dconduct_&d=DwICaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=ef_FKlWa7jWGmQqTrjkcoDY1VuVtcI_10ClISjA3_V8&m=Zv18qJEsJdA0-rTvhk7KGER54Nbj5PvUpkhG972d7Eg&s=ObQjZAozegq76dn-3bRKzfZZJlGNlJboMt7jq9yfkOg&e=
>
> List Guidelines:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wiki_Mailing-5Flist-5Fguidelines&d=DwICaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=ef_FKlWa7jWGmQqTrjkcoDY1VuVtcI_10ClISjA3_V8&m=Zv18qJEsJdA0-rTvhk7KGER54Nbj5PvUpkhG972d7Eg&s=icoYxkNKtZLQukECmYuY-8EvRmB1QwYagUq8NC5WCWc&e=
>
> List Archives:
>
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.org_archives_list_freeipa-2Dusers-40lists.fedorahosted.org&d=DwICaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=ef_FKlWa7jWGmQqTrjkcoDY1VuVtcI_10ClISjA3_V8&m=Zv18qJEsJdA0-rTvhk7KGER54Nbj5PvUpkhG972d7Eg&s=9osDDUoPdZ6iuCCpMmjTwKFdKAAs2JSoJAG8IpDm284&e=
>
>
>
>
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Maili

[Freeipa-users] Re: [EXTERNAL] Re: FreeIPA and FreeRadius (or any RADIUS)

2020-02-12 Thread White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users 
Many thanks.
I will let the list know

__

Daniel E. White
daniel.e.wh...@nasa.gov<mailto:daniel.e.wh...@nasa.gov>
NICS Linux Engineer
NASA Goddard Space Flight Center
8800 Greenbelt Road
Building 14, Room E175
Greenbelt, MD 20771
Office: (301) 286-6919
Mobile: (240) 513-5290

From: Alex Scheel 
Date: Wednesday, February 12, 2020 at 14:13
To: FreeIPA users list 
Cc: Daniel White 
Subject: Re: [Freeipa-users] Re: [EXTERNAL] Re: FreeIPA and FreeRadius (or any 
RADIUS)

Daniel,

That makes sense.

Then yes, the links I pointed to in my previous mail should help you
accomplish what you want. If you find something lacking, do let us
know.


Hope that helps,

Alex
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Re: [EXTERNAL] Re: FreeIPA and FreeRadius (or any RADIUS)

2020-02-12 Thread Alex Scheel via FreeIPA-users 
Daniel,

That makes sense.

Then yes, the links I pointed to in my previous mail should help you
accomplish what you want. If you find something lacking, do let us
know. 


Hope that helps,

Alex

- Original Message -
> From: "Daniel E. White (GSFC-770.0)[NICS] via FreeIPA-users" 
> 
> To: "Alex Scheel" , "FreeIPA users list" 
> 
> Cc: "Daniel E. White (GSFC-770.0)[NICS]" 
> Sent: Wednesday, February 12, 2020 2:03:03 PM
> Subject: [Freeipa-users] Re: [EXTERNAL] Re: FreeIPA and FreeRadius (or any 
> RADIUS)
> 
> My use case is RADIUS for network device auth, with IPA doing the underlying
> authentication.
> The group information is all the LDAP groups a user belongs to.  This is for
> access control.
> Our current setup uses an ancient version of RADIUS that runs on an old
> Solaris 9 Sparc server.  It uses the users and groups on that server to
> control access.
> __
> 
> Daniel E. White
> daniel.e.wh...@nasa.gov<mailto:daniel.e.wh...@nasa.gov>
> NICS Linux Engineer
> NASA Goddard Space Flight Center
> 8800 Greenbelt Road
> Building 14, Room E175
> Greenbelt, MD 20771
> Office: (301) 286-6919
> Mobile: (240) 513-5290
> 
> From: Alex Scheel 
> Date: Wednesday, February 12, 2020 at 13:38
> To: FreeIPA users list 
> Cc: Daniel White 
> Subject: [EXTERNAL] Re: [Freeipa-users] FreeIPA and FreeRadius (or any
> RADIUS)
> 
> Hi Daniel,
> 
> I'm afraid I don't understand what you're trying to accomplish.
> 
> There's two primary use cases for RADIUS:
> 
> - RADIUS for wireless auth, with IPA doing the underlying authentication
> - RADIUS as a backend for OTP, with IPA passing OTP queries to RADIUS to
>validate
> 
> I'm going to guess by your request that you want the former, not the latter.
> 
> What you're looking for is probably most easily accomplished via an LDAP
> interface for FreeRADIUS. I think the following might help you:
> 
> - https://wiki.freeradius.org/modules/Rlm_ldap
> 
> -
> http://lists.freeradius.org/pipermail/freeradius-users/2018-April/091159.html
> 
> I'm not sure what group information you'd need in this scenario, though.
> 
> 
> If you're trying to use RADIUS to do authenticate on systems, we don't
> support pam_radius (and the authenticating system doesn't get group
> information in that setup).
> 
> Would sssd be a better fit in this case?
> 
> 
> Thanks,
> 
> - Alex
> 
> - Original Message -
> From: "Daniel E. White (GSFC-770.0)[NICS] via FreeIPA-users"
> mailto:freeipa-users@lists.fedorahosted.org>>
> To: "FreeIPA users list"
> mailto:freeipa-users@lists.fedorahosted.org>>
> Cc: "Daniel E. White (GSFC-770.0)[NICS]"
> mailto:daniel.e.wh...@nasa.gov>>
> Sent: Wednesday, February 12, 2020 8:54:31 AM
> Subject: [Freeipa-users] FreeIPA and FreeRadius (or any RADIUS)
> Reference:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.freeipa.org_page_Using-5FFreeIPA-5Fand-5FFreeRadius-5Fas-5Fa-5FRADIUS-5Fbased-5Fsoftware-5Ftoken-5FOTP-5Fsystem-5Fwith-5FCentOS_RedHat-5F7&d=DwICaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=ef_FKlWa7jWGmQqTrjkcoDY1VuVtcI_10ClISjA3_V8&m=Zv18qJEsJdA0-rTvhk7KGER54Nbj5PvUpkhG972d7Eg&s=DL7kkmJr_YPGHUDd7C98avLEo5MftauoY_rs7FLEv7U&e=
> What about setting it up so that RADIUS gets credentials and groups from
> FreeIPA without the OTP ?
> __
> Daniel E. White
> daniel.e.wh...@nasa.gov<mailto:daniel.e.wh...@nasa.gov><mailto:daniel.e.wh...@nasa.gov>
> NICS Linux Engineer
> NASA Goddard Space Flight Center
> 8800 Greenbelt Road
> Building 14, Room E175
> Greenbelt, MD 20771
> Office: (301) 286-6919
> Mobile: (240) 513-5290
> ___
> FreeIPA-users mailing list --
> freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>
> To unsubscribe send an email to
> freeipa-users-le...@lists.fedorahosted.org<mailto:freeipa-users-le...@lists.fedorahosted.org>
> Fedora Code of Conduct:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.org_en-2DUS_project_code-2Dof-2Dconduct_&d=DwICaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=ef_FKlWa7jWGmQqTrjkcoDY1VuVtcI_10ClISjA3_V8&m=Zv18qJEsJdA0-rTvhk7KGER54Nbj5PvUpkhG972d7Eg&s=ObQjZAozegq76dn-3bRKzfZZJlGNlJboMt7jq9yfkOg&e=
> List Guidelines:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wik

[Freeipa-users] Re: [EXTERNAL] Re: FreeIPA and FreeRadius (or any RADIUS)

2020-02-12 Thread White, Daniel E. (GSFC-770.0)[NICS] via FreeIPA-users 
My use case is RADIUS for network device auth, with IPA doing the underlying 
authentication.
The group information is all the LDAP groups a user belongs to.  This is for 
access control.
Our current setup uses an ancient version of RADIUS that runs on an old Solaris 
9 Sparc server.  It uses the users and groups on that server to control access.
__

Daniel E. White
daniel.e.wh...@nasa.gov
NICS Linux Engineer
NASA Goddard Space Flight Center
8800 Greenbelt Road
Building 14, Room E175
Greenbelt, MD 20771
Office: (301) 286-6919
Mobile: (240) 513-5290

From: Alex Scheel 
Date: Wednesday, February 12, 2020 at 13:38
To: FreeIPA users list 
Cc: Daniel White 
Subject: [EXTERNAL] Re: [Freeipa-users] FreeIPA and FreeRadius (or any RADIUS)

Hi Daniel,

I'm afraid I don't understand what you're trying to accomplish.

There's two primary use cases for RADIUS:

- RADIUS for wireless auth, with IPA doing the underlying authentication
- RADIUS as a backend for OTP, with IPA passing OTP queries to RADIUS to
   validate

I'm going to guess by your request that you want the former, not the latter.

What you're looking for is probably most easily accomplished via an LDAP
interface for FreeRADIUS. I think the following might help you:

- https://wiki.freeradius.org/modules/Rlm_ldap

- http://lists.freeradius.org/pipermail/freeradius-users/2018-April/091159.html

I'm not sure what group information you'd need in this scenario, though.


If you're trying to use RADIUS to do authenticate on systems, we don't
support pam_radius (and the authenticating system doesn't get group
information in that setup).

Would sssd be a better fit in this case?


Thanks,

- Alex

- Original Message -
From: "Daniel E. White (GSFC-770.0)[NICS] via FreeIPA-users" 
mailto:freeipa-users@lists.fedorahosted.org>>
To: "FreeIPA users list" 
mailto:freeipa-users@lists.fedorahosted.org>>
Cc: "Daniel E. White (GSFC-770.0)[NICS]" 
mailto:daniel.e.wh...@nasa.gov>>
Sent: Wednesday, February 12, 2020 8:54:31 AM
Subject: [Freeipa-users] FreeIPA and FreeRadius (or any RADIUS)
Reference:
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.freeipa.org_page_Using-5FFreeIPA-5Fand-5FFreeRadius-5Fas-5Fa-5FRADIUS-5Fbased-5Fsoftware-5Ftoken-5FOTP-5Fsystem-5Fwith-5FCentOS_RedHat-5F7&d=DwICaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=ef_FKlWa7jWGmQqTrjkcoDY1VuVtcI_10ClISjA3_V8&m=Zv18qJEsJdA0-rTvhk7KGER54Nbj5PvUpkhG972d7Eg&s=DL7kkmJr_YPGHUDd7C98avLEo5MftauoY_rs7FLEv7U&e=
What about setting it up so that RADIUS gets credentials and groups from
FreeIPA without the OTP ?
__
Daniel E. White
daniel.e.wh...@nasa.gov
NICS Linux Engineer
NASA Goddard Space Flight Center
8800 Greenbelt Road
Building 14, Room E175
Greenbelt, MD 20771
Office: (301) 286-6919
Mobile: (240) 513-5290
___
FreeIPA-users mailing list -- 
freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.org_en-2DUS_project_code-2Dof-2Dconduct_&d=DwICaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=ef_FKlWa7jWGmQqTrjkcoDY1VuVtcI_10ClISjA3_V8&m=Zv18qJEsJdA0-rTvhk7KGER54Nbj5PvUpkhG972d7Eg&s=ObQjZAozegq76dn-3bRKzfZZJlGNlJboMt7jq9yfkOg&e=
List Guidelines: 
https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wiki_Mailing-5Flist-5Fguidelines&d=DwICaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=ef_FKlWa7jWGmQqTrjkcoDY1VuVtcI_10ClISjA3_V8&m=Zv18qJEsJdA0-rTvhk7KGER54Nbj5PvUpkhG972d7Eg&s=icoYxkNKtZLQukECmYuY-8EvRmB1QwYagUq8NC5WCWc&e=
List Archives:
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.org_archives_list_freeipa-2Dusers-40lists.fedorahosted.org&d=DwICaQ&c=ApwzowJNAKKw3xye91w7BE1XMRKi2LN9kiMk5Csz9Zk&r=ef_FKlWa7jWGmQqTrjkcoDY1VuVtcI_10ClISjA3_V8&m=Zv18qJEsJdA0-rTvhk7KGER54Nbj5PvUpkhG972d7Eg&s=9osDDUoPdZ6iuCCpMmjTwKFdKAAs2JSoJAG8IpDm284&e=


___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org