Freeradius w/ FreeIPA and DUO 2FA
Apologizing for starting a new thread I had messages turned off for a while. But this continues from the previous emails I sent. I have successfully gotten FreeRADIUS to work with LDAP and am working on the kerberos portion. Will these need to be configured together? When I go to configure the users would I change the Auth-Type := to krb5 instead of LDAP? Thanks! Andrew M.
On Jul 26, 2019, at 4:41 PM, Andrew Meyer via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Apologizing for starting a new thread I had messages turned off for a while. But this continues from the previous emails I sent. I have successfully gotten FreeRADIUS to work with LDAP and am working on the kerberos portion. Will these need to be configured together? When I go to configure the users would I change the Auth-Type := to krb5 instead of LDAP?
It depends on what you want to do. Again, give *clear explanations* as to what you have, and what you want. "configure the users" to do WHAT? We can't read your mind. You have to write things down in messages for us to understand them. Alan DeKok.
My apologies. Currently I have a FreeIPA setup which is running my LDAP database. This also has a 2-way trust to my Active Directory setup so that my Windows users can log in to Linux servers. Redhat has their own OTP/2FA/MFA built-in to FreeIPA but we want to use Duo to do MFA. I have asked on this mailing list and the FreeIPA ,ailing list and I have read that it is OR might be possible to use a 3rd party MFA service such as Duo instead of the built-in on e from Redhat. However the only way to achieve this is through a RADIUS server. Some of the other articles that I have read along with answer to questions I have posed on the FreeRADIUS and FreeIPA mailing list say that in order to to use a 3rd party MFA/2FA service with FreeIPA I will need to setup Kerberos authentication to make this happen. I have configured freeRADIUS with your repo from networkradius.com to use LDAP and kerberos (not at the same time). What is the best way to configure with RADIUS to achieve my goal? Also, I have already generated a Kerberos Ticket/Token from FreeIPA and installed it on my radius server. I have configured FreeRADIUS to look at that token upon starting the service. My next question/issue is: Do I just change the Auth-Type in the /etc/raddb/users config to krb5? I suspect there MIGHT be more I have to do. Looking for further guidance and hope this helps. Thanks again,Andrew On Friday, July 26, 2019, 06:22:13 PM CDT, Alan DeKok <aland@deployingradius.com> wrote: On Jul 26, 2019, at 4:41 PM, Andrew Meyer via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Apologizing for starting a new thread I had messages turned off for a while. But this continues from the previous emails I sent. I have successfully gotten FreeRADIUS to work with LDAP and am working on the kerberos portion. Will these need to be configured together? When I go to configure the users would I change the Auth-Type := to krb5 instead of LDAP?
It depends on what you want to do. Again, give *clear explanations* as to what you have, and what you want. "configure the users" to do WHAT? We can't read your mind. You have to write things down in messages for us to understand them. Alan DeKok.
On Jul 29, 2019, at 10:59 AM, Andrew Meyer via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
My apologies. Currently I have a FreeIPA setup which is running my LDAP database. This also has a 2-way trust to my Active Directory setup so that my Windows users can log in to Linux servers. Redhat has their own OTP/2FA/MFA built-in to FreeIPA but we want to use Duo to do MFA.
OK. What kind of multi-factor authentication? You're talking about high-level concepts, not technical details. What goes into the packets / password / whatever? What parts of that are used for what purpose?
I have asked on this mailing list and the FreeIPA ,ailing list and I have read that it is OR might be possible to use a 3rd party MFA service such as Duo instead of the built-in on e from Redhat. However the only way to achieve this is through a RADIUS server. Some of the other articles that I have read along with answer to questions I have posed on the FreeRADIUS and FreeIPA mailing list say that in order to to use a 3rd party MFA/2FA service with FreeIPA I will need to setup Kerberos authentication to make this happen.
Maybe. But you're still being excessively vague about what you want to do. In most circumstances, two factor authentication is done via something like this: * User-Password is sent as 6 digits of token, followed by the real password * FreeRADIUS splits that into two pieces * the token part is checked against the token server * if it fails the user is rejected * otherwise, the password part is checked against the LDAP server. Do you have a similar description you can give? And no, we don't want more buzzwords of "2FA MFA using LDAP and Kerberos".
I have configured freeRADIUS with your repo from networkradius.com to use LDAP and kerberos (not at the same time). What is the best way to configure with RADIUS to achieve my goal?
Use words to describe the goal you want to achieve. Right now, you're just posting sentences that contain mish-mashes of technological verbiage. There's no *goal* being described.
Also, I have already generated a Kerberos Ticket/Token from FreeIPA and installed it on my radius server. I have configured FreeRADIUS to look at that token upon starting the service. My next question/issue is: Do I just change the Auth-Type in the /etc/raddb/users config to krb5? I suspect there MIGHT be more I have to do.
Very likely, yes. But since you're not describing what you want to do, it's impossible to give you any advice. And, it's impossible to implement anything. This isn't difficult. Write down what you want to happen, as I did above. If you can't do that, then what you want is impossible. Alan DeKok.
Hello,What I want to do is bypass the 2FA solution built in to FreeIPA/IPA and use DUO instead when users SSH into servers. The goal is to use FreeIPA with DUO but since FreeIPA has its own 2FA/OTP built-in I need to put a RADIUS server in to use a 3rd party 2FA. Hope this helps in assisting me with my configuration issues. Thank you again,Andrew On Monday, July 29, 2019, 12:24:52 PM CDT, Alan DeKok <aland@deployingradius.com> wrote: On Jul 29, 2019, at 10:59 AM, Andrew Meyer via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
My apologies. Currently I have a FreeIPA setup which is running my LDAP database. This also has a 2-way trust to my Active Directory setup so that my Windows users can log in to Linux servers. Redhat has their own OTP/2FA/MFA built-in to FreeIPA but we want to use Duo to do MFA.
OK. What kind of multi-factor authentication? You're talking about high-level concepts, not technical details. What goes into the packets / password / whatever? What parts of that are used for what purpose?
I have asked on this mailing list and the FreeIPA ,ailing list and I have read that it is OR might be possible to use a 3rd party MFA service such as Duo instead of the built-in on e from Redhat. However the only way to achieve this is through a RADIUS server. Some of the other articles that I have read along with answer to questions I have posed on the FreeRADIUS and FreeIPA mailing list say that in order to to use a 3rd party MFA/2FA service with FreeIPA I will need to setup Kerberos authentication to make this happen.
Maybe. But you're still being excessively vague about what you want to do. In most circumstances, two factor authentication is done via something like this: * User-Password is sent as 6 digits of token, followed by the real password * FreeRADIUS splits that into two pieces * the token part is checked against the token server * if it fails the user is rejected * otherwise, the password part is checked against the LDAP server. Do you have a similar description you can give? And no, we don't want more buzzwords of "2FA MFA using LDAP and Kerberos".
I have configured freeRADIUS with your repo from networkradius.com to use LDAP and kerberos (not at the same time). What is the best way to configure with RADIUS to achieve my goal?
Use words to describe the goal you want to achieve. Right now, you're just posting sentences that contain mish-mashes of technological verbiage. There's no *goal* being described.
Also, I have already generated a Kerberos Ticket/Token from FreeIPA and installed it on my radius server. I have configured FreeRADIUS to look at that token upon starting the service. My next question/issue is: Do I just change the Auth-Type in the /etc/raddb/users config to krb5? I suspect there MIGHT be more I have to do.
Very likely, yes. But since you're not describing what you want to do, it's impossible to give you any advice. And, it's impossible to implement anything. This isn't difficult. Write down what you want to happen, as I did above. If you can't do that, then what you want is impossible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Aug 2, 2019, at 11:13 AM, Andrew Meyer via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
Hello,What I want to do is bypass the 2FA solution built in to FreeIPA/IPA and use DUO instead when users SSH into servers. The goal is to use FreeIPA with DUO but since FreeIPA has its own 2FA/OTP built-in I need to put a RADIUS server in to use a 3rd party 2FA. Hope this helps in assisting me with my configuration issues.
No. I asked you to post a step-by-step description of what should happen. I asked that you *not* post more buzzwords. Instead, you posted more buzzwords. You can't describe what you want the systems to do, which means that it's impossible for anyone to help you. This shouldn't be difficult. Describe what goes into the packet, and what FreeRADIUS does with that information. I've asked for this before, and you ignored that request. That isn't helpful. Give a good description of the problem. If you can't do this, I'll just ignore messages that contain nothing more than buzzwords. Alan DeKok.
participants (2)
-
Alan DeKok -
Andrew Meyer