Bug 1576133 - Radius Proxy OTP Auth in IPA is not failing over to the second server in a radius-proxy
Summary: Radius Proxy OTP Auth in IPA is not failing over to the second server in a ra...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.4
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-05-08 23:46 UTC by Josip Vilicic
Modified: 2018-10-30 10:59 UTC (History)
8 users (show)

Fixed In Version: ipa-4.6.4-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-10-30 10:58:39 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:3187 0 None None None 2018-10-30 10:59:53 UTC

Comment 9 Alexander Koksharov 2018-05-15 11:52:03 UTC
Hello,
IPA does not support multiaddress radius proxy configuration. It is actually a bug that it allowed to enter multiple addresses using web interface. PR https://github.com/freeipa/freeipa/pull/1922 to fix that was created.

The customer has to use different tools to secure RADIUS cluster. I would propose to create a Virtual IP for RADIUS servers and use that IP in IPA configuration.
The VIP can be created an managed by, for example, keepalied daemon. Please check http://www.keepalived.org/ for more details.

Thank you

--
Alexander.

Comment 10 Rob Crittenden 2018-05-15 14:58:19 UTC
Upstream ticket:
https://pagure.io/freeipa/issue/7542

Comment 11 Rob Crittenden 2018-05-15 15:00:10 UTC
Upstream ticket:
https://pagure.io/freeipa/issue/7542

Comment 12 Rob Crittenden 2018-05-15 15:01:59 UTC
Re-opening to track making this a single-value field.

Comment 13 Rob Crittenden 2018-05-21 18:30:34 UTC
master:
    b82af69 Radius proxy multiservers fix

ipa-4-6:
    875dfc4 Radius proxy multiservers fix

ipa-4-5:
    6b2653d Radius proxy multiservers fix

Comment 18 Mohammad Rizwan 2018-08-24 13:30:49 UTC
version:
ipa-server-4.6.4-6.el7.x86_64

Steps:

Execute upstream xmlrpc test for radiusproxy_plugin :

1. install ipa server

2. create symlink to ipa's default.conf
   $ ln -s /etc/ipa/default.conf ~/.ipa/default.conf

3. kinit admin

4. convert ca pkcs12 to pem format and place it in ~/.ipa/

  $ openssl pkcs12 -in cacert.p12 -out ~/.ipa/ca.crt -nodes

5. execute testsuite

ipa-run-tests -v -r a --logging-level=DEBUG test_xmlrpc/test_radiusproxy_plugin.py

Actual result:

[..]
test_xmlrpc/test_radiusproxy_plugin.py::test_raduisproxy::test_command[0003: radiusproxy_add: Try to add multiple radius proxy server u'testradius'] <- xmlrpc_test.py [ipalib.rpc] [try 1]: Forwarding 'radiusproxy_add/1' to json server 'https://master.testrelm.test/ipa/json'
PASSED
[..]


Full console logs with all test cases are provided.

All tests are passing, hence marking bug as verified.

Comment 20 errata-xmlrpc 2018-10-30 10:58:39 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3187


Note You need to log in before you can comment on or make changes to this bug.