Bug 1576133

Summary: Radius Proxy OTP Auth in IPA is not failing over to the second server in a radius-proxy
Product: Red Hat Enterprise Linux 7 Reporter: Josip Vilicic <jvilicic>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.4CC: jhrozek, ksiddiqu, myusuf, ndehadra, pasik, pvoborni, rcritten, tscherf
Target Milestone: rcKeywords: Reopened
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: ipa-4.6.4-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 10:58:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 9 Alexander Koksharov 2018-05-15 11:52:03 UTC 
Hello,
IPA does not support multiaddress radius proxy configuration. It is actually a bug that it allowed to enter multiple addresses using web interface. PR https://github.com/freeipa/freeipa/pull/1922 to fix that was created.

The customer has to use different tools to secure RADIUS cluster. I would propose to create a Virtual IP for RADIUS servers and use that IP in IPA configuration.
The VIP can be created an managed by, for example, keepalied daemon. Please check http://www.keepalived.org/ for more details.

Thank you

--
Alexander.
Comment 10 Rob Crittenden 2018-05-15 14:58:19 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/7542
Comment 11 Rob Crittenden 2018-05-15 15:00:10 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/7542
Comment 12 Rob Crittenden 2018-05-15 15:01:59 UTC 
Re-opening to track making this a single-value field.
Comment 13 Rob Crittenden 2018-05-21 18:30:34 UTC 
master:
    b82af69 Radius proxy multiservers fix

ipa-4-6:
    875dfc4 Radius proxy multiservers fix

ipa-4-5:
    6b2653d Radius proxy multiservers fix
Comment 18 Mohammad Rizwan 2018-08-24 13:30:49 UTC 
version:
ipa-server-4.6.4-6.el7.x86_64

Steps:

Execute upstream xmlrpc test for radiusproxy_plugin :

1. install ipa server

2. create symlink to ipa's default.conf
   $ ln -s /etc/ipa/default.conf ~/.ipa/default.conf

3. kinit admin

4. convert ca pkcs12 to pem format and place it in ~/.ipa/

  $ openssl pkcs12 -in cacert.p12 -out ~/.ipa/ca.crt -nodes

5. execute testsuite

ipa-run-tests -v -r a --logging-level=DEBUG test_xmlrpc/test_radiusproxy_plugin.py

Actual result:

[..]
test_xmlrpc/test_radiusproxy_plugin.py::test_raduisproxy::test_command[0003: radiusproxy_add: Try to add multiple radius proxy server u'testradius'] <- xmlrpc_test.py [ipalib.rpc] [try 1]: Forwarding 'radiusproxy_add/1' to json server 'https://master.testrelm.test/ipa/json'
PASSED
[..]


Full console logs with all test cases are provided.

All tests are passing, hence marking bug as verified.
Comment 20 errata-xmlrpc 2018-10-30 10:58:39 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3187