Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1364552 - Unable to login with OTP when RADIUS proxy is configured to a user
Summary: Unable to login with OTP when RADIUS proxy is configured to a user
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.3
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Kaleem
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-08-05 17:00 UTC by Varun Mylaraiah
Modified: 2016-08-09 10:43 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-08-09 10:43:53 UTC


Attachments (Terms of Use)

Description Varun Mylaraiah 2016-08-05 17:00:51 UTC
Description of problem:
Unable to login with OTP when RADIUS proxy is configured to a user

Version-Release number of selected component (if applicable):

tested in both versions IPA
ipa-server-4.2.0-15.el7_2.18.x86_64
ipa-server-4.4.0-4.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
Step 1) kinit as otpuser 
Step 2) kinit as admin and modify user authentication type to "otp" and "radius"
Step 3) Now configure RADIUS proxy to the user
Step 4) try to kinit as otpuser
Step 5) Remove RADIUS proxy configuration 
Step 6) Again kinit as otpuser

Step 1) kinit as otpuser
# kinit -T KEYRING:persistent:0:0 tuser01
Enter OTP Token Value: 
# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_GcFvleK
Default principal: tuser01@TESTRELM.TEST

Valid starting       Expires              Service principal
2016-08-05T18:37:09  2016-08-06T18:37:02  krbtgt/TESTRELM.TEST@TESTRELM.TEST

Step 2) kinit as admin and modify user authentication type to "otp" and "radius"
#  ipa user-mod tuser01 --user-auth-type=radius --user-auth-type=otp
-----------------------
Modified user "tuser01"
-----------------------
  User login: tuser01
  First name: a
  Last name: a
  Home directory: /home/tuser01
  Login shell: /bin/sh
  Principal name: tuser01@TESTRELM.TEST
  Principal alias: tuser01@TESTRELM.TEST
  Email address: tuser01@testrelm.test
  UID: 64000003
  GID: 64000003
  User authentication types: otp, radius
  Account disabled: False
  Password: True
  Member of groups: ipausers, usergrp01
  Indirect Member of netgroup: netgrp01
  Kerberos keys available: True

Step 3) Now configure RADIUS proxy to the user  
#  ipa user-mod tuser01 --radius=testproxy01
-----------------------
Modified user "tuser01"
-----------------------
  User login: tuser01
  First name: a
  Last name: a
  Home directory: /home/tuser01
  Login shell: /bin/sh
  Principal name: tuser01@TESTRELM.TEST
  Principal alias: tuser01@TESTRELM.TEST
  Email address: tuser01@testrelm.test
  UID: 64000003
  GID: 64000003
  User authentication types: otp, radius
  RADIUS proxy configuration: testproxy01
  Account disabled: False
  Password: True
  Member of groups: ipausers, usergrp01
  Indirect Member of netgroup: netgrp01
  Kerberos keys available: True

Step 4) try to kinit as otpuser
# kinit -T KEYRING:persistent:0:0 tuser01
Enter OTP Token Value: 
kinit: Preauthentication failed while getting initial credentials

Step 5) Remove RADIUS proxy configuration 
#  ipa user-mod tuser01 --radius=
-----------------------
Modified user "tuser01"
-----------------------
  User login: tuser01
  First name: a
  Last name: a
  Home directory: /home/tuser01
  Login shell: /bin/sh
  Principal name: tuser01@TESTRELM.TEST
  Principal alias: tuser01@TESTRELM.TEST
  Email address: tuser01@testrelm.test
  UID: 64000003
  GID: 64000003
  User authentication types: otp, radius
  Account disabled: False
  Password: True
  Member of groups: ipausers, usergrp01
  Indirect Member of netgroup: netgrp01
  Kerberos keys available: True

Step 6) Again kinit as otpuser
# kinit -T KEYRING:persistent:0:0 tuser01
Enter OTP Token Value: 
# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_GcFvleK
Default principal: tuser01@TESTRELM.TEST

Valid starting       Expires              Service principal
2016-08-05T18:43:43  2016-08-06T18:43:31  krbtgt/TESTRELM.TEST@TESTRELM.TEST


Actual results:
in step 4 otpuser failing to login.

Expected results:
login should be successful for both authentication types because user has both type of authentications (User authentication types: otp, radius)

Comment 3 Petr Vobornik 2016-08-06 12:19:14 UTC
The report misses what OTP tokens user has assigned. What Radius proxies are used/configure it the test. And what OTP tokens are used for kinit steps.

Comment 4 Alexander Bokovoy 2016-08-08 13:45:09 UTC
This is incorrect use of the feature. Read http://www.freeipa.org/page/V4/OTP#Proprietary_OTP_Support

-----
Many administrators will be migrating from a proprietary OTP solution to the FreeIPA integrated OTP support. However, for large deployments, an all-at-once migration is often not possible. FreeIPA should handle this case by providing a way to offload OTP validation to a 3rd-party RADIUS server for a subset of the users.

To handle this, an administrator can create a set of RADIUS proxies (each proxy can contain multiple individual RADIUS servers). A user can be assigned to one of these proxies. While a user has a RADIUS proxy assigned, all other mechanisms are bypassed. When the user is ready to be migrated to the FreeIPA native OTP system, the RADIUS proxy assignment for the user is simply removed.

FreeIPA provides no token management or synchronization support for tokens in the 3rd-party system. 
-----

Namely: "While a user has a RADIUS proxy assigned, all other mechanisms are bypassed."

Comment 5 Varun Mylaraiah 2016-08-08 15:56:14 UTC
(In reply to Alexander Bokovoy from comment #4)
> This is incorrect use of the feature. Read
> http://www.freeipa.org/page/V4/OTP#Proprietary_OTP_Support
> 
> -----
> Many administrators will be migrating from a proprietary OTP solution to the
> FreeIPA integrated OTP support. However, for large deployments, an
> all-at-once migration is often not possible. FreeIPA should handle this case
> by providing a way to offload OTP validation to a 3rd-party RADIUS server
> for a subset of the users.
> 
> To handle this, an administrator can create a set of RADIUS proxies (each
> proxy can contain multiple individual RADIUS servers). A user can be
> assigned to one of these proxies. While a user has a RADIUS proxy assigned,
> all other mechanisms are bypassed. When the user is ready to be migrated to
> the FreeIPA native OTP system, the RADIUS proxy assignment for the user is
> simply removed.
> 
> FreeIPA provides no token management or synchronization support for tokens
> in the 3rd-party system. 
> -----
> 
> Namely: "While a user has a RADIUS proxy assigned, all other mechanisms are
> bypassed."


Ok got it. Thanks! Will close this as Not a Bug


Note You need to log in before you can comment on or make changes to this bug.