AIX Open Source

 View Only
Expand all | Collapse all

Freeradius - AIX Toolbox.

  • 1.  Freeradius - AIX Toolbox.

    Posted Thu February 17, 2022 03:56 PM
    Hi, Team.

                 An IBM Customer needs freeradius to test/enable 2FA on AIX servers, is it possible to add this package to the AIXToolbox?

    Thank in advance.

    ------------------------------
    Fabio Cruz Dos Reis
    ------------------------------


  • 2.  RE: Freeradius - AIX Toolbox.

    IBM Champion
    Posted Fri February 18, 2022 07:27 AM
    AIX has its own RADIUS implementation:

    # installp -Ld . | grep -i RADIUS
    radius.base:radius.base.rte:7.2.0.0::I:T:::::N:RADIUS Runtime ::::0:1543:
    radius.base:radius.base.rte:7.2.3.15::S:T:::::N:RADIUS Runtime::::0:1845:

    Would it suit for the customer's needs?

    ------------------------------
    Andrey Klyachkin

    https://www.power-devops.com
    ------------------------------



  • 3.  RE: Freeradius - AIX Toolbox.

    Posted Fri February 18, 2022 08:34 AM

    Hi, Andrey,

    Customer wants to implement 2FA authentication with password from LDAP + RADIUS token. They want to use the pam_radius_auth.so for that, they did some tests with radius.base and looks like it does not support such configuration.

    Thanks



    ------------------------------
    Fabio Cruz Dos Reis
    ------------------------------



  • 4.  RE: Freeradius - AIX Toolbox.

    IBM Champion
    Posted Fri February 18, 2022 08:45 AM
    Hi Fabio,

    yep, it doesn't have any PAM module in it. If you need only the pam_radius module, I can suggest to read the following guide:
    https://supportportal.gemalto.com/csm/sys_attachment.do?sys_id=d538e7741b5cc450f2888739cd4bcb75

    It describes how to build pam_radius_auth on AIX 6.1.

    ------------------------------
    Andrey Klyachkin

    https://www.power-devops.com
    ------------------------------



  • 5.  RE: Freeradius - AIX Toolbox.

    Posted Mon February 21, 2022 07:13 AM
    Edited by Fabio Reis Mon February 21, 2022 10:17 AM

    Hi, Andrey and Sanket.

    Thanks for update.

    The customer had  already done the procedures from page 14 onwards as a test and that's what they need. Customer also uses the "radtest" binary to test if the client can reach the Radius Server, if the client doesn't reach the server (firewall rule or other problem) 2FA is not configured. 

    Is it possible to compile this modules (AIX pam_radius , radtest) and add it to the yum repository maintained by IBM?


    Thanks

    ------------------------------
    Fabio Cruz Dos Reis
    ------------------------------



  • 6.  RE: Freeradius - AIX Toolbox.

    Posted Tue February 22, 2022 12:44 AM
    Hi Fabio, We will look into it.

    ------------------------------
    SANKET RATHI
    ------------------------------



  • 7.  RE: Freeradius - AIX Toolbox.

    Posted Fri February 18, 2022 08:44 AM
    Thank you Andrey for replying and yes would like to get the view of customer on AIX implemented radius.

    ------------------------------
    SANKET RATHI
    ------------------------------



  • 8.  RE: Freeradius - AIX Toolbox.

    Posted Thu June 23, 2022 08:01 AM
    Edited by Fabio Reis Thu June 23, 2022 02:29 PM

    Hi, @SANKET RATHI

                 I saw that freeradius-pam is now available on AIX toolbox. Customer noticed after the release of freeradius-pam that in order for them to be able to configure 2FA other packages are needed besides freeradius-pam, radtest and others more.  It is possible to request the compilation and inclusion of all freeradius packages in  AIX toolbox?

    Thanks in advance.

    ​​

    ------------------------------
    Fabio Reis
    ------------------------------



  • 9.  RE: Freeradius - AIX Toolbox.

    Posted Fri June 24, 2022 01:29 AM
    Hi @Fabio Reis was this blog followed to configure freeradius on AIX?
    https://community.ibm.com/community/user/power/blogs/sriram-kucherlapati/2022/05/11/configure-freeradius-pam-client-on-aix?CommunityKey=10c1d831-47ee-4d92-a138-b03f7896f7c9


    ------------------------------
    SANKET RATHI
    ------------------------------



  • 10.  RE: Freeradius - AIX Toolbox.

    Posted Fri June 24, 2022 02:42 PM

    Hi, @SANKET RATHI

    The part described in the blog works, but for them to be able to use Two-factor authentication (2FA) it is necessary to do some connectivity tests between AIX and the Radius Server (which runs on linux). Eventually there are firewall rules or other issues that prevent this connectivity from working. And in this case, for this tests to work, they need the radtest and radclient binaries, which are part of freeradius-server.

    The package provided has basically 2 files:
    $ rpm -ql freeradius-pam-2.0.0-1.ppc
    /lib/security/pam_radius_auth.so
    /opt/freeware/doc/freeradius-pam-2.0.0
    /opt/freeware/doc/freeradius-pam-2.0.0/Changelog
    /opt/freeware/doc/freeradius-pam-2.0.0/INSTALL
    /opt/freeware/doc/freeradius-pam-2.0.0/LICENSE
    /opt/freeware/doc/freeradius-pam-2.0.0/README.rst
    /opt/freeware/doc/freeradius-pam-2.0.0/USAGE
    /opt/freeware/etc/pam_radius.conf

    So it would be very useful if the complete freeradius-server package could be made available due to the need to use these mentioned binaries and others that come with them.



    ------------------------------
    Fabio Reis
    ------------------------------



  • 11.  RE: Freeradius - AIX Toolbox.

    Posted Wed July 27, 2022 06:29 AM
    Hi Fabio, 
    The tools radclient and radtest are part of the Freeradius-server package. To build those tools we need to build the complete freeradius-server package. Considering the dependencies, it would take a significant amount of effort to build freeradius-server and dependent packages. 

    Please let us know the priority.

    Apart from the tools, what are the other binaries you are expecting to be delivered as part of the package?


    Thank you,
    Sriram.


    ------------------------------
    Sriram Kucherlapati
    ------------------------------



  • 12.  RE: Freeradius - AIX Toolbox.

    Posted Wed July 27, 2022 01:32 PM

    Hi, Sriram.

             In addition to the two binaries(radclient and radtest) they need the dependencies found in the path /usr/local/share/freeradius .

    dictionary dictionary.cisco  dictionary.hp dictionary.patton  dictionary.shasta dictionary.3com dictionary.cisco.bbsm dictionary.ipunplugged dictionary.propel dictionary.shiva dictionary.3gpp dictionary.cisco.vpn3000 dictionary.issanni dictionary.quintum dictionary.sofaware  dictionary.3gpp2 dictionary.cisco.vpn5000 dictionary.itk dictionary.redback dictionary.sonicwall dictionary.acc dictionary.colubris dictionary.juniper dictionary.redcreek dictionary.springtide dictionary.airespace dictionary.columbia_university dictionary.karlnet dictionary.rfc2865 dictionary.starent dictionary.alcatel dictionary.compat dictionary.livingston dictionary.rfc2866 dictionary.t_systems_nova dictionary.alteon dictionary.cosine dictionary.localweb dictionary.rfc2867 dictionary.telebit dictionary.altiga dictionary.digium dictionary.lucent dictionary.rfc2868 dictionary.trapeze dictionary.alvarion dictionary.epygi dictionary.merit dictionary.rfc2869 dictionary.tropos dictionary.aptis dictionary.ericsson dictionary.microsoft dictionary.rfc3162 dictionary.unix dictionary.aruba dictionary.erx dictionary.mikrotik dictionary.rfc3576 dictionary.usr dictionary.ascend dictionary.extreme dictionary.motorola dictionary.rfc3580 dictionary.valemount dictionary.asn dictionary.fortinet dictionary.navini dictionary.rfc4372 dictionary.versanet dictionary.avaya dictionary.foundry dictionary.netscreen dictionary.rfc4590 dictionary.walabi dictionary.bay dictionary.freeradius dictionary.nokia dictionary.rfc4675 dictionary.waverider dictionary.bintec dictionary.freeradius.internal dictionary.nomadix dictionary.rfc4679 dictionary.wispr dictionary.bristol dictionary.gandalf dictionary.nortel dictionary.riverstone dictionary.xedia dictionary.cablelabs dictionary.garderos dictionary.ntua dictionary.roaringpenguin dictionary.xylan dictionary.cabletron dictionary.gemtek dictionary.packeteer dictionary.schulzrinne-sipping dictionary.zyxel

    These files are really necessary for them to be able to configure 2FA in their environment.

    Thanks in advance



    ------------------------------
    Fabio Reis
    ------------------------------



  • 13.  RE: Freeradius - AIX Toolbox.

    Posted Thu July 28, 2022 07:07 AM

    Hi Fabio,
    Are you talking about the modules?

    Freeradius supports only these below modules
    https://freeradius.org/modules/

    The 2FA + freeradius is a setup at different levels.
    Do you have any info on the usecase that the customer wants to have on AIX node with freeradius client?

    Also, can you give some more info on what the customer is facing(issue) with the freeradius client package?

    We have tested radtest on a Linux node(freeradius server) to contact the AIX node (freeradius client).
    Is there any issue with this setup on the customer env?


    Thanks.



    ------------------------------
    Sriram Kucherlapati
    ------------------------------



  • 14.  RE: Freeradius - AIX Toolbox.

    Posted Mon August 01, 2022 07:50 AM

    Hi, Sriram.

    They are implement 2FA authentication with password from LDAP + RADIUS token. As a test they already downloaded, compiled the necessary packages and it worked. In order to be deployed in production, the customer is requesting the compilation and inclusion of these packages/binary in the IBM repository, meaning they have a reliable and safe place to get packages, not running the risk of error during compilation or downloading the compiled package from other insecure places.
    The first request was the compilation and inclusion of the freeradius-pam module. This module was added to the IBM repository and is now available. The client has already downloaded and tested it and it works.
    But due to some connectivity issues (eventually there are firewall rules or other issues that prevent this connectivity from working) they also need to use radtest and radclient, and these two binaries use/require as dependencies the dictionary.* files found in the path /usr/local/share/freeradius.

    In a nutshell, is configured on the client side:

    1)

    Changed /etc/pam.conf to call freeradius-pam module:

    # Ativa segundo fator de autenticacao
    sshd auth requisite /usr/lib/security/pam_aix
    sshd auth sufficient /usr/lib/security/pam_permission file=/etc/allowed_users found=allow
    sshd auth required /usr/lib/security/pam_radius_auth.so

    2)
    Changed /etc/raddb/server to point server

    #Example of file:

    # cat /etc/raddb/server
    #Configuracao AMRADIUS
    radius_server.desenv.com shared_secret 10

    The radtest is used to confirm the operation, because if the communication does not go back, SSH access is unavailable. The radclient is a radtest requirement. An example of a radtest call is:

    /usr/local/bin/radtest user password radius_server.desenv.com 0 shared_secret


    Thanks



    ------------------------------
    Fabio Reis
    ------------------------------



  • 15.  RE: Freeradius - AIX Toolbox.

    Posted Thu August 04, 2022 12:02 PM

    Hi Fabio,

    I have a couple of queries regarding the freeradius-server. 

    • Regarding the testing
      • we did the testing of ssh, using radclient from server to client, where server is a linux node.
      • I think the customer could also do the same to test the ssh??
      • Is he having trouble connecting client to server?(But you mentioned the pam testing was successful)    
    • Regarding the compilation
      • You mentioned the customer had build the package, did he build all the dependencies associated with freeradius-server??
      • Is it the customer intent to, just store the package safely on the AIX-toolbox?? Or
      • Is he expecting the support for this package as well.?


    ------------------------------
    Sriram Kucherlapati
    ------------------------------



  • 16.  RE: Freeradius - AIX Toolbox.

    Posted Wed August 17, 2022 10:02 AM
    Hi Fabio,

    Looking at the request, this is more specific to the radius server rather than the radius client functionality. We wouldn't be able to accommodate the server package on AIX toolbox for now. Hence providing the server utilities, is difficult.

    Thanks,

    ------------------------------
    Sriram Kucherlapati
    ------------------------------



  • 17.  RE: Freeradius - AIX Toolbox.

    Posted Mon April 24, 2023 08:07 AM

    Hi, Sriram

           Is it possible to return this request for evaluation to be met this year? Customer would still like to have this available in the toolbox.

    Regards,



    ------------------------------
    Fabio Reis
    ------------------------------



  • 18.  RE: Freeradius - AIX Toolbox.

    Posted Mon April 24, 2023 12:33 PM

    Hi Fabio,

     

    Are you asking for radius server porting on AIX ?

     

    Thanks,

    Sanket Rathi

     






  • 19.  RE: Freeradius - AIX Toolbox.

    Posted Mon April 24, 2023 01:32 PM

    Hi Sanket,

              They need the tools radclient and radtest are part of the Freeradius-server package. 

    Regards,



    ------------------------------
    Fabio Reis
    ------------------------------



  • 20.  RE: Freeradius - AIX Toolbox.

    Posted Mon April 24, 2023 01:29 PM

    Regarding the testing:
    we did the testing of ssh, using radclient from server to client, where server is a linux node.
    I think the customer could also do the same to test the ssh??
    Is he having trouble connecting client to server?(But you mentioned the pam testing was successful)  

     A - Tests via ssh don't work, because we need to pass that token (same as in the previous forum post), so the test needs to be with radtest/radclient.
    "The radtest is used to confirm the operation, because if the communication does not go back, SSH access is unavailable. The radclient is a radtest requirement. An example of a radtest call is:
    /usr/local/bin/radtest user password radius_server.desenv.com 0 shared_secret
    "Regarding the compilation:
    You mentioned the customer had build the package, did he build all the dependencies associated with freeradius-server??
    Is it the customer intent to, just store the package safely on the AIX-toolbox?? Or
    Is he expecting the support for this package as well.?

    A - Their wish is to have the package in the AIX-toolbox, to be able to install it on the machines via yum.



    ------------------------------
    Fabio Reis
    ------------------------------