If you’re putting Freeradius in front of IPA, neither of the ways Freeradius would talk to IPA works with 2FA. LDAP doesn’t work, because the IPA LDAP server doesn’t know about 2FA except the builtin FreeOTP support. The Freeradius Kerberos support won’t work for any 2FA, even FreeOTP, because their Kerberos code doesn’t use the API’s necessary to support 2FA.

in https://github.com/clhedrick/kerberos, you’ll find radius-wrap, which can be used with Freeradius’ Kerberos module to make it work with 2FA. The code works, but if someone is gong to use it in production I’d do something to make it more convenient to use. I’ve chosen to use LD_PRELOAD to wrap the existing code, rather than supplying a fixed version of the Kerberos module, because I thought it might make updating to new versions easier.

In the same place you’ll find ldap-proxy. This is instructions to set up Openldap in front of IPA’s LDAP. It does Kerberos authentication with 2FA support, and thus can handle all types of authentication that IPA can handle. I supply an overlay (i.e. a plugin) for Openldap to do Kerberos authentication with proper 2FA support.

Jakub: I’d really, really, like to see LDAP in Freeipa support 2FA. Having to put a proxy in front of IPA just to handle IPA’s authentication seems silly, and an unnecessary piece of software to support (particularly since RHEL 8 is apparently gong to drop support for openlap).

On Aug 24, 2017, at 2:53 PM, Jakub Hrozek via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:

On Thu, Aug 24, 2017 at 10:29:35AM -0400, Steve Weeks via FreeIPA-users wrote:

We are running FreeIPA 4.4 on Centos 7 and trying to use radius
authentication.

Using radtest and radclient work fine and we can authenticate a user.

The radius proxy and secret are set to match the values from radclient.
The user has the radius check box checked and the other two fields set to
appropriate values. hbactest shows that the user has permission for any
host.

When I do " su -l rsa-user", I'm requested for the first and second
factors. After I enter them, I get "su: Authentication failure". Using a
non-radius user works fine.

The sssd_pam log has

[sssd[pam]] [pam_dp_process_reply] (0x0200): received: [17 (Failure setting
user credentials)][idm.bbn.com]
[sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [17]:
Failure setting user credentials.

Unchecking the radius checkbox and the account works fine.

Any ideas what to try or look at next?

I've never set up this configuration but I would look at the domain log
and krb5_child.log next.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org