Thanks for sharing. ______________________________________________________________________________________________
Daniel E. White daniel.e.wh...@nasa.gov<mailto:daniel.e.wh...@nasa.gov> NASCOM Linux Engineer NASA Goddard Space Flight Center Science Applications International Corporation (SAIC) Office: (301) 286-6919 Mobile: (240) 513-5290 From: FreeIPA-Users <freeipa-users@lists.fedorahosted.org> Reply-To: FreeIPA-Users <freeipa-users@lists.fedorahosted.org> Date: Monday, February 22, 2021 at 03:45 To: FreeIPA-Users <freeipa-users@lists.fedorahosted.org> Cc: Mariusz Stysiak <server.is.not.respond...@gmail.com> Subject: [Freeipa-users] Re: [EXTERNAL] Separate Topic -- FreeIPA and RADIUS Hi Daniel, My configuration bases on the guide I found at https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.freeipa.org%2Fpage%2FUsing_FreeIPA_and_FreeRadius_as_a_RADIUS_based_software_token_OTP_system_with_CentOS%2FRedHat_7&data=04%7C01%7Cdaniel.e.white%40nasa.gov%7C9b1ae121ca404de7489608d8d70e361a%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637495803330175961%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=bBKyPaLhBlOFcNl8iIfTWkrdjerCU%2B0t%2BqnCSgxIp3I%3D&reserved=0 Skip the first part and start with "Install, configure and test RADIUS Server as a frontend to IPA". Since this is a POC, I've set up radius server on one of my ipa servers "ipa-poc-1.lab" (would have added another one on second ipa machine for redundancy if I went to PROD) and added it to my IPA vie GUI under Authentication -> RADIUS servers. Below my radius config w/o commented lines: ipa-poc-1 /etc/raddb # cat radiusd.conf |egrep -v "^\s*(#|$)" prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = /usr/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct name = radiusd confdir = ${raddbdir} modconfdir = ${confdir}/mods-config certdir = ${confdir}/certs cadir = ${confdir}/certs run_dir = ${localstatedir}/run/${name} db_dir = ${localstatedir}/lib/radiusd libdir = /usr/lib64/freeradius pidfile = ${run_dir}/${name}.pid correct_escapes = true max_request_time = 30 cleanup_delay = 5 max_requests = 16384 hostname_lookups = no log { destination = files colourise = yes file = ${logdir}/radius.log syslog_facility = daemon stripped_names = no auth = no auth_badpass = no auth_goodpass = no msg_denied = "You are already logged in - access denied" } checkrad = ${sbindir}/checkrad security { user = radiusd group = radiusd allow_core_dumps = no max_attributes = 200 reject_delay = 1 status_server = yes } proxy_requests = yes $INCLUDE proxy.conf $INCLUDE clients.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 auto_limit_acct = no } modules { $INCLUDE mods-enabled/ } instantiate { } policy { $INCLUDE policy.d/ } $INCLUDE sites-enabled/ And clients config file: ipa-poc-1 /etc/raddb # cat clients.conf |egrep -v "^\s*(#|$)" client default { ipaddr = FREEIPA_SERVER_IP/32 proto = udp secret = very_secure_pass require_message_authenticator = no nas_type = cisco # localhost isn't usually a NAS... limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client localhost_ipv6 { ipv6addr = ::1 secret = very_secure_pass } client asa-V { ipaddr = CISCO_ASA_IP/32 proto = udp secret = very_complicated_secret require_message_authenticator = no nas_type = cisco # localhost isn't usually a NAS... limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } We plan to put all TACACS rules/acls on ASA. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org<mailto:freeipa-users-le...@lists.fedorahosted.org> Fedora Code of Conduct: https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=04%7C01%7Cdaniel.e.white%40nasa.gov%7C9b1ae121ca404de7489608d8d70e361a%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637495803330175961%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=rLN6h9jVHlMiwQtLRvRyBU8J6NwIFLAVN8v%2BGTgP8OU%3D&reserved=0 List Guidelines: https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelines&data=04%7C01%7Cdaniel.e.white%40nasa.gov%7C9b1ae121ca404de7489608d8d70e361a%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637495803330175961%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=ChwdyasaX38uUHRJKr%2FsYShS8T3Oqg8p%2FeiaTwbFXkA%3D&reserved=0 List Archives: https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedorahosted.org%2Farchives%2Flist%2Ffreeipa-users%40lists.fedorahosted.org&data=04%7C01%7Cdaniel.e.white%40nasa.gov%7C9b1ae121ca404de7489608d8d70e361a%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637495803330175961%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=t2yD%2FR2hK9ZuvrpCRm7LlqEuCbWk8sBgq1kxuu4DPko%3D&reserved=0 Do not reply to spam on the list, report it: https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure.io%2Ffedora-infrastructure&data=04%7C01%7Cdaniel.e.white%40nasa.gov%7C9b1ae121ca404de7489608d8d70e361a%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C637495803330175961%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=YG1p03a7uk17mV9A14myvn0e53GK3h08rPqfKthwpNw%3D&reserved=0
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure