Description of problem:
The Freeradius (FR) is not FIPS compliant because it uses MD5 function. But in RHEL7 it was possible to use a workaround with the environment variable "OPENSSL_FIPS_NON_APPROVED_ALLOW=1" and configure FR authentication in FIPS  or use ipa-otp via RADIUS proxy in FIPS described here .
I have tried these scenarios (the second after the BZ#1872689 for krb5 was fixed ) on RHEL8.4 and they work without any workaround (env. variable "OPENSSL_FIPS_NON_APPROVED_ALLOW=1 is not supported on RHEL8). It means that it was possible to authenticate FR user on radiusd server in FIPS. In my opinion, it is not correct behavior because FR uses MD5 functions which are forbidden in FIPS and the customer, who enabled FIPS mode, expects that all these old and weak ciphers/functions are disabled in FIPS mode.
Because we want to support these scenarios [3 c#21] I would prefer the old behavior from RHEL7. The FR should NOT work in FIPS in RHEL8 but with the help of some env. variable or some extra option in FR (something similar to "radius_md5_fips_override=true" in krb5) the user could be authenticated on FR server in FIPS.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
Scenario1 - https://access.redhat.com/solutions/4650511
Scenario2 - https://bugzilla.redhat.com/show_bug.cgi?id=1872689#c0
FR authentication should work in FIPS only with some workaround mentioned above.
The list of related documentation is here
(This docu should be modified as soon as this bug is fixed)
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (freeradius bug fix and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
Does this workaround and Known issue apply to RHEL 8.6 also? Thanks