Thanks. This pointed me in the right direction and was exactly what I needed. Ended up that I needed to add the following to the "authorize" section of /etc/raddb/sites-enabled/default : -ldap If ((ok || updated)) { update { control:Auth-Type := Kerberos } } And as you stated, add the following to the "authenticate" section of same file: Auth-Type Kerberos { Krb5 } After that, radtest worked. Now it is just normal stuff to get everything else working. -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+jennings.charles.e=gmail.com@lists.freeradius.org] On Behalf Of Adam Bishop Sent: Tuesday, February 10, 2015 4:28 PM To: FreeRadius users mailing list Subject: Re: Freeradius 3.0.4 authentication to FreeIPA 4.1.2 On 10 Feb 2015, at 18:24, Charles Jennings <jennings.charles.e@gmail.com> wrote:
As a side note, I am authenticating successfully against my IPA infrastructure - I just can't seem to find the information I need to tie freeradius to freeipa.
I did this with Kerberos - no LDAP policy checks though. For my environment (CentOS 7) the rough steps were: Enrol your RADIUS server in IPA, then SSH into your FreeIPA server, and run: # kinit <<adminuser>>@YOUR.KERBEROS.REALM Then to generate a service principal (you could do this in the GUI too): # ipa-addservice radius/radius.server.yourdomain.com@YOUR.KERBEROS.REALM Then on your radius server get the key tab: # ipa-getkeytab -s radius.server.yourdomain.com. -p radius/radius.server.yourdomain.com -k /var/lib/radiusd/krb5.keytab Make sure that the radius user can see that key tab, and edit mods-enabled/krb5 ... keytab = /var/lib/radiusd/krb5.keytab service_principal = radius/radius.server.yourdomain.com ... Add a handler into the AuthZ section of your virtual servers: ... Auth-Type Kerberos { krb5 } ... You can (and should) verify the contents of the key tab with: # ktutil -k /var/lib/radiusd/krb5.keytab ktutil: rkt /var/lib/radiusd/krb5.keytab ktutil: l slot KVNO Principal ---- ---- --------------------------------------------------------------------- ... And: # kinit -k -t /var/lib/radiusd/krb5.keytab radius/radius.server.yourdomain.com # klist Ticket cache: KEYRING:persistent:0:0 Default principal: radius/radius.server.yourdomain.com ... LDAP queries would be configured exactly FreeIPA like any other LDAP server. I don't know which mechanisms FreeRADIUS supports when binding to a directory for queries, someone else on the list may be able to confirm. Thanks, Adam Bishop gpg: 0x6609D460 Janet, the UK's research and education network. Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html