It’s not entirely clear to me what the configuration is. You say “second factor.” If
you’re using 2FA, things that normally work no longer do.
If you’re putting Freeradius in front of IPA, neither of the ways Freeradius would talk to
IPA works with 2FA. LDAP doesn’t work, because the IPA LDAP server doesn’t know about 2FA
except the builtin FreeOTP support. The Freeradius Kerberos support won’t work for any
2FA, even FreeOTP, because their Kerberos code doesn’t use the API’s necessary to support
, you’ll find radius-wrap, which can be used with
Freeradius’ Kerberos module to make it work with 2FA. The code works, but if someone is
gong to use it in production I’d do something to make it more convenient to use. I’ve
chosen to use LD_PRELOAD to wrap the existing code, rather than supplying a fixed version
of the Kerberos module, because I thought it might make updating to new versions easier.
In the same place you’ll find ldap-proxy. This is instructions to set up Openldap in front
of IPA’s LDAP. It does Kerberos authentication with 2FA support, and thus can handle all
types of authentication that IPA can handle. I supply an overlay (i.e. a plugin) for
Openldap to do Kerberos authentication with proper 2FA support.
Jakub: I’d really, really, like to see LDAP in Freeipa support 2FA. Having to put a proxy
in front of IPA just to handle IPA’s authentication seems silly, and an unnecessary piece
of software to support (particularly since RHEL 8 is apparently gong to drop support for
On Aug 24, 2017, at 2:53 PM, Jakub Hrozek via FreeIPA-users
On Thu, Aug 24, 2017 at 10:29:35AM -0400, Steve Weeks via FreeIPA-users wrote:
We are running FreeIPA 4.4 on Centos 7 and trying to use radius
Using radtest and radclient work fine and we can authenticate a user.
The radius proxy and secret are set to match the values from radclient.
The user has the radius check box checked and the other two fields set to
appropriate values. hbactest shows that the user has permission for any
When I do " su -l rsa-user", I'm requested for the first and second
factors. After I enter them, I get "su: Authentication failure". Using a
non-radius user works fine.
The sssd_pam log has
[sssd[pam]] [pam_dp_process_reply] (0x0200): received: [17 (Failure setting
[sssd[pam]] [pam_reply] (0x0200): pam_reply called with result :
Failure setting user credentials.
Unchecking the radius checkbox and the account works fine.
Any ideas what to try or look at next?
I've never set up this configuration but I would look at the domain log
and krb5_child.log next.
FreeIPA-users mailing list --
To unsubscribe send an email to