Re: [Freeipa-users] Openwrt-Freeradius-FreeIPA
Hello All, not trying to push for an answer here; but in reply to this post I got a lot of spam that I don't want my wife of kids to see. This is only my second post here so I'm just wondering if I'm ending up in spam because I'm getting this spam or if the question is just very far fetched. Greetings, J. 2017-05-07 20:16 GMT+02:00 Johan Vermeulen <jameslas...@gmail.com>: > Hello All, > > I have sent the same mail a few days ago, but I think it ended up in > spam... > > We have FreeIPA running on Centos7 > [root@freeipa03 ~]# cat /etc/*release > CentOS Linux release 7.2.1511 (Core) > > Not fully updated but that is planned. > > [root@freeipa03 ~]# yum list installed | grep ipa > ipa-admintools.x86_64 4.2.0-15.0.1.el7.centos.19 > @updates > ipa-client.x86_64 4.2.0-15.0.1.el7.centos.19 > @updates > ipa-python.x86_64 4.2.0-15.0.1.el7.centos.19 > @updates > ipa-server.x86_64 4.2.0-15.0.1.el7.centos.19 > @updates > ipa-server-dns.x86_64 4.2.0-15.0.1.el7.centos.19 > @updates > libipa_hbac.x86_641.13.0-40.el7_2.12 > @updates > python-iniparse.noarch0.4-9.el7 > @anaconda > python-libipa_hbac.x86_64 1.13.0-40.el7_2.12 > @updates > sssd-ipa.x86_64 1.13.0-40.el7_2.12 > @updates > > We are using FreeIPA to authenticate laptops/users, that works great. > Thank you for making that possible! > > Now I bought some Linksys access points and installed Openwrt on them. > Next I'm following the second part of this wiki: > > https://www.freeipa.org/page/Using_FreeIPA_and_FreeRadius_as > _a_RADIUS_based_software_token_OTP_system_with_CentOS/RedHat_7 > > starting from : install, configure and test RADIUS server as a frontend to > IPA. > > That works great, up to the point where I can do the radtest: > > [root@freeipa03 ~]# radtest test password123 192.168.250.12 1812 > testing1234 > Sending Access-Request Id 26 from 0.0.0.0:44889 to 192.168.250.12:1812 > User-Name = 'test' > User-Password = 'password123' > NAS-IP-Address = 192.168.250.12 > NAS-Port = 1812 > Message-Authenticator = 0x00 > Received Access-Accept Id 26 from 192.168.250.12:1812 to > 192.168.250.12:44889 length 20 > > where user test is in freeipa and 192.168.250.12 is the vpn address of > the ipa server. > > My question now is: is it possible to have users connect with the > Linksys/Openwrt access point using username/password from FreeIPA? > So far I'm not getting past EM: > > Error: Ignoring request to auth address * port 1812 as server default from > unknown client 10.10.20.117 port 55421 proto udp > > where 10.10.20.117 is the Openwrt access point. > > I added the access point to /etc/radddb/client.conf in a number of ways, > but nothing changes. Now I'm thinking, because Freeradius now reads from > FreeIPA, > it doesn't recognize the access point. > > Thanks for any advise. > > greetings, J. > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Openwrt-Freeradius-FreeIPA
Hello All, I have sent the same mail a few days ago, but I think it ended up in spam... We have FreeIPA running on Centos7 [root@freeipa03 ~]# cat /etc/*release CentOS Linux release 7.2.1511 (Core) Not fully updated but that is planned. [root@freeipa03 ~]# yum list installed | grep ipa ipa-admintools.x86_64 4.2.0-15.0.1.el7.centos.19 @updates ipa-client.x86_64 4.2.0-15.0.1.el7.centos.19 @updates ipa-python.x86_64 4.2.0-15.0.1.el7.centos.19 @updates ipa-server.x86_64 4.2.0-15.0.1.el7.centos.19 @updates ipa-server-dns.x86_64 4.2.0-15.0.1.el7.centos.19 @updates libipa_hbac.x86_641.13.0-40.el7_2.12 @updates python-iniparse.noarch0.4-9.el7 @anaconda python-libipa_hbac.x86_64 1.13.0-40.el7_2.12 @updates sssd-ipa.x86_64 1.13.0-40.el7_2.12 @updates We are using FreeIPA to authenticate laptops/users, that works great. Thank you for making that possible! Now I bought some Linksys access points and installed Openwrt on them. Next I'm following the second part of this wiki: https://www.freeipa.org/page/Using_FreeIPA_and_FreeRadius_ as_a_RADIUS_based_software_token_OTP_system_with_CentOS/RedHat_7 starting from : install, configure and test RADIUS server as a frontend to IPA. That works great, up to the point where I can do the radtest: [root@freeipa03 ~]# radtest test password123 192.168.250.12 1812 testing1234 Sending Access-Request Id 26 from 0.0.0.0:44889 to 192.168.250.12:1812 User-Name = 'test' User-Password = 'password123' NAS-IP-Address = 192.168.250.12 NAS-Port = 1812 Message-Authenticator = 0x00 Received Access-Accept Id 26 from 192.168.250.12:1812 to 192.168.250.12:44889 length 20 where user test is in freeipa and 192.168.250.12 is the vpn address of the ipa server. My question now is: is it possible to have users connect with the Linksys/Openwrt access point using username/password from FreeIPA? So far I'm not getting past EM: Error: Ignoring request to auth address * port 1812 as server default from unknown client 10.10.20.117 port 55421 proto udp where 10.10.20.117 is the Openwrt access point. I added the access point to /etc/radddb/client.conf in a number of ways, but nothing changes. Now I'm thinking, because Freeradius now reads from FreeIPA, it doesn't recognize the access point. Thanks for any advise. greetings, J. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Openwrt-Freeradius-FreeIPA
Hello All, We have FreeIPA running on Centos7 [root@freeipa03 ~]# cat /etc/*release CentOS Linux release 7.2.1511 (Core) Not fully updated but that is planned. [root@freeipa03 ~]# yum list installed | grep ipa ipa-admintools.x86_64 4.2.0-15.0.1.el7.centos.19 @updates ipa-client.x86_64 4.2.0-15.0.1.el7.centos.19 @updates ipa-python.x86_64 4.2.0-15.0.1.el7.centos.19 @updates ipa-server.x86_64 4.2.0-15.0.1.el7.centos.19 @updates ipa-server-dns.x86_64 4.2.0-15.0.1.el7.centos.19 @updates libipa_hbac.x86_641.13.0-40.el7_2.12 @updates python-iniparse.noarch0.4-9.el7 @anaconda python-libipa_hbac.x86_64 1.13.0-40.el7_2.12 @updates sssd-ipa.x86_64 1.13.0-40.el7_2.12 @updates We are using FreeIPA to authenticate laptops/users, that works great. Thank you for making that possible! Now I bought some Linksys access points and installed Openwrt on them. Next I'm following the second part of this wiki: https://www.freeipa.org/page/Using_FreeIPA_and_FreeRadius_as_a_RADIUS_based_software_token_OTP_system_with_CentOS/RedHat_7 starting from : install, configure and test RADIUS server as a frontend to IPA. That works great, up to the point where I can do the radtest: [root@freeipa03 ~]# radtest test password123 192.168.250.12 1812 testing1234 Sending Access-Request Id 26 from 0.0.0.0:44889 to 192.168.250.12:1812 User-Name = 'test' User-Password = 'password123' NAS-IP-Address = 192.168.250.12 NAS-Port = 1812 Message-Authenticator = 0x00 Received Access-Accept Id 26 from 192.168.250.12:1812 to 192.168.250.12:44889 length 20 where user test is in freeipa and 192.168.250.12 is the vpn address of the ipa server. My question now is: is it possible to have users connect with the Linksys/Openwrt access point using username/password from FreeIPA? So far I'm not getting past EM: Error: Ignoring request to auth address * port 1812 as server default from unknown client 10.10.20.117 port 55421 proto udp where 10.10.20.117 is the Openwrt access point. I added the access point to /etc/radddb/client.conf in a number of ways, but nothing changes. Now I'm thinking, because Freeradius now reads from FreeIPA, it doesn't recognize the access point. Thanks for any advise. greetings, J. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Centos7/IPA4.2 : disable/enable hosts
Hello Rob, doing it this way indeed works. Thanks for helping me out. Greetings, J. 2017-04-11 16:54 GMT+02:00 Rob Crittenden <rcrit...@redhat.com>: > Johan Vermeulen wrote: > > Rob, > > > > thanks for helping me out. > > I support some 80 laptop users at the moment, all running Centos7. > > The users are now in ldap, the laptops ( hosts) are not. I'm testing the > > ability to add the laptops as hosts. > > > > Under "identity - hosts", when selecting a host, I go to "actions". The > > only way I see to disable ( block) a host, what I would do when > > a laptop is stolen for instance, is unprovision. > > I then tried to re-provision it, I see no "provision" option. I tried to > > "rebuild auto membership" and " new certificate" but that doesn't seem > > to work. > > I hope I'm making sense. > > In the case of a lost or stolen laptop then disabling the host seems > like a good mechanism. It will revoke and certificates issued for the > host and invalidate its keytab. > > Provisioning happens when ipa-client-install is run on the host [1]. > There is no facility for remote provisioning. > > rob > > [1] technically a host is provisioned when it has a keytab but this > doesn't configure that host to actually use it and you potentially need > to safely transfer this keytab to the host. > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Centos7/IPA4.2 : disable/enable hosts
Hello, thanks for the advise. I will try this asap. Greetings, J. 2017-04-11 0:51 GMT+02:00 Lachlan Musicman <data...@gmail.com>: > On 11 April 2017 at 00:14, Johan Vermeulen <jameslas...@gmail.com> wrote: > >> Hello All, >> >> just getting started with FreeIPA and one of the first features I'm >> trying is adding hosts, something I can't do in our current >> ldap-setup. So I'm looking forward to being able to do this. >> But after adding a host, the only way I see to disable it is unprovision >> it. And after doing that, I can' t find a way to re-provision the host. >> >> Can anybody point me in the right direction regarding this? >> >> Many thanks, J. >> >> > > Rob is right - it depends on what you are doing. > > But, in the mean time, here are a couple of pointers: > > How to enable/disable hosts > https://access.redhat.com/documentation/en-US/Red_Hat_ > Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_ > Guide/host-disable.html > > > If what you are after is having it in the domain but restricting access, > then you are looking for "Host Based Access Control" > > https://access.redhat.com/documentation/en-US/Red_Hat_ > Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_ > Guide/configuring-host-access.html > > > Cheers > L. > > > > -- > The most dangerous phrase in the language is, "We've always done it this > way." > > - Grace Hopper > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Centos7/IPA4.2 : disable/enable hosts
Rob, thanks for helping me out. I support some 80 laptop users at the moment, all running Centos7. The users are now in ldap, the laptops ( hosts) are not. I'm testing the ability to add the laptops as hosts. Under "identity - hosts", when selecting a host, I go to "actions". The only way I see to disable ( block) a host, what I would do when a laptop is stolen for instance, is unprovision. I then tried to re-provision it, I see no "provision" option. I tried to "rebuild auto membership" and " new certificate" but that doesn't seem to work. I hope I'm making sense. Greetings, J. 2017-04-10 21:37 GMT+02:00 Rob Crittenden <rcrit...@redhat.com>: > Johan Vermeulen wrote: > > Hello All, > > > > just getting started with FreeIPA and one of the first features I'm > > trying is adding hosts, something I can't do in our current > > ldap-setup. So I'm looking forward to being able to do this. > > But after adding a host, the only way I see to disable it is unprovision > > it. And after doing that, I can' t find a way to re-provision the host. > > > > Can anybody point me in the right direction regarding this? > > I'm not sure I follow what you're doing and don't want to guess and send > you on a wild goose chase :-) > > Can you elaborate on your workflow and the output you're seeing when you > try to re-provision? > > rob > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Centos7/IPA4.2 : disable/enable hosts
Hello All, just getting started with FreeIPA and one of the first features I'm trying is adding hosts, something I can't do in our current ldap-setup. So I'm looking forward to being able to do this. But after adding a host, the only way I see to disable it is unprovision it. And after doing that, I can' t find a way to re-provision the host. Can anybody point me in the right direction regarding this? Many thanks, J. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
