Regarding the testing:
we did the testing of ssh, using radclient from server to client, where server is a linux node.
I think the customer could also do the same to test the ssh??
Is he having trouble connecting client to server?(But you mentioned the pam testing was successful)
A - Tests via ssh don't work, because we need to pass that token (same as in the previous forum post), so the test needs to be with radtest/radclient.
"The radtest is used to confirm the operation, because if the communication does not go back, SSH access is unavailable. The radclient is a radtest requirement. An example of a radtest call is:
/usr/local/bin/radtest user password radius_server.desenv.com 0 shared_secret
"Regarding the compilation:
You mentioned the customer had build the package, did he build all the dependencies associated with freeradius-server??
Is it the customer intent to, just store the package safely on the AIX-toolbox?? Or
Is he expecting the support for this package as well.?
A - Their wish is to have the package in the AIX-toolbox, to be able to install it on the machines via yum.
------------------------------
Fabio Reis
------------------------------
Original Message:
Sent: Thu August 04, 2022 12:02 PM
From: Sriram Kucherlapati
Subject: Freeradius - AIX Toolbox.
Hi Fabio,
I have a couple of queries regarding the freeradius-server.
- Regarding the testing
- we did the testing of ssh, using radclient from server to client, where server is a linux node.
- I think the customer could also do the same to test the ssh??
- Is he having trouble connecting client to server?(But you mentioned the pam testing was successful)
- Regarding the compilation
- You mentioned the customer had build the package, did he build all the dependencies associated with freeradius-server??
- Is it the customer intent to, just store the package safely on the AIX-toolbox?? Or
- Is he expecting the support for this package as well.?
------------------------------
Sriram Kucherlapati
Original Message:
Sent: Mon August 01, 2022 07:49 AM
From: Fabio Reis
Subject: Freeradius - AIX Toolbox.
Hi, Sriram.
They are implement 2FA authentication with password from LDAP + RADIUS token. As a test they already downloaded, compiled the necessary packages and it worked. In order to be deployed in production, the customer is requesting the compilation and inclusion of these packages/binary in the IBM repository, meaning they have a reliable and safe place to get packages, not running the risk of error during compilation or downloading the compiled package from other insecure places.
The first request was the compilation and inclusion of the freeradius-pam module. This module was added to the IBM repository and is now available. The client has already downloaded and tested it and it works.
But due to some connectivity issues (eventually there are firewall rules or other issues that prevent this connectivity from working) they also need to use radtest and radclient, and these two binaries use/require as dependencies the dictionary.* files found in the path /usr/local/share/freeradius.
In a nutshell, is configured on the client side:
1)
Changed /etc/pam.conf to call freeradius-pam module:
# Ativa segundo fator de autenticacao
sshd auth requisite /usr/lib/security/pam_aix
sshd auth sufficient /usr/lib/security/pam_permission file=/etc/allowed_users found=allow
sshd auth required /usr/lib/security/pam_radius_auth.so
2)
Changed /etc/raddb/server to point server
#Example of file:
# cat /etc/raddb/server
#Configuracao AMRADIUS
radius_server.desenv.com shared_secret 10
The radtest is used to confirm the operation, because if the communication does not go back, SSH access is unavailable. The radclient is a radtest requirement. An example of a radtest call is:
/usr/local/bin/radtest user password radius_server.desenv.com 0 shared_secret
Thanks
------------------------------
Fabio Reis
Original Message:
Sent: Thu July 28, 2022 07:06 AM
From: Sriram Kucherlapati
Subject: Freeradius - AIX Toolbox.
Hi Fabio,
Are you talking about the modules?
Freeradius supports only these below modules
https://freeradius.org/modules/
The 2FA + freeradius is a setup at different levels.
Do you have any info on the usecase that the customer wants to have on AIX node with freeradius client?
Also, can you give some more info on what the customer is facing(issue) with the freeradius client package?
We have tested radtest on a Linux node(freeradius server) to contact the AIX node (freeradius client).
Is there any issue with this setup on the customer env?
Thanks.
------------------------------
Sriram Kucherlapati
Original Message:
Sent: Wed July 27, 2022 01:31 PM
From: Fabio Reis
Subject: Freeradius - AIX Toolbox.
Hi, Sriram.
In addition to the two binaries(radclient and radtest) they need the dependencies found in the path /usr/local/share/freeradius .
dictionary dictionary.cisco dictionary.hp dictionary.patton dictionary.shasta dictionary.3com dictionary.cisco.bbsm dictionary.ipunplugged dictionary.propel dictionary.shiva dictionary.3gpp dictionary.cisco.vpn3000 dictionary.issanni dictionary.quintum dictionary.sofaware dictionary.3gpp2 dictionary.cisco.vpn5000 dictionary.itk dictionary.redback dictionary.sonicwall dictionary.acc dictionary.colubris dictionary.juniper dictionary.redcreek dictionary.springtide dictionary.airespace dictionary.columbia_university dictionary.karlnet dictionary.rfc2865 dictionary.starent dictionary.alcatel dictionary.compat dictionary.livingston dictionary.rfc2866 dictionary.t_systems_nova dictionary.alteon dictionary.cosine dictionary.localweb dictionary.rfc2867 dictionary.telebit dictionary.altiga dictionary.digium dictionary.lucent dictionary.rfc2868 dictionary.trapeze dictionary.alvarion dictionary.epygi dictionary.merit dictionary.rfc2869 dictionary.tropos dictionary.aptis dictionary.ericsson dictionary.microsoft dictionary.rfc3162 dictionary.unix dictionary.aruba dictionary.erx dictionary.mikrotik dictionary.rfc3576 dictionary.usr dictionary.ascend dictionary.extreme dictionary.motorola dictionary.rfc3580 dictionary.valemount dictionary.asn dictionary.fortinet dictionary.navini dictionary.rfc4372 dictionary.versanet dictionary.avaya dictionary.foundry dictionary.netscreen dictionary.rfc4590 dictionary.walabi dictionary.bay dictionary.freeradius dictionary.nokia dictionary.rfc4675 dictionary.waverider dictionary.bintec dictionary.freeradius.internal dictionary.nomadix dictionary.rfc4679 dictionary.wispr dictionary.bristol dictionary.gandalf dictionary.nortel dictionary.riverstone dictionary.xedia dictionary.cablelabs dictionary.garderos dictionary.ntua dictionary.roaringpenguin dictionary.xylan dictionary.cabletron dictionary.gemtek dictionary.packeteer dictionary.schulzrinne-sipping dictionary.zyxel
These files are really necessary for them to be able to configure 2FA in their environment.
Thanks in advance
------------------------------
Fabio Reis
Original Message:
Sent: Wed July 27, 2022 06:28 AM
From: Sriram Kucherlapati
Subject: Freeradius - AIX Toolbox.
Hi Fabio,
The tools radclient and radtest are part of the Freeradius-server package. To build those tools we need to build the complete freeradius-server package. Considering the dependencies, it would take a significant amount of effort to build freeradius-server and dependent packages.
Please let us know the priority.
Apart from the tools, what are the other binaries you are expecting to be delivered as part of the package?
Thank you,
Sriram.
------------------------------
Sriram Kucherlapati
Original Message:
Sent: Fri June 24, 2022 02:42 PM
From: Fabio Reis
Subject: Freeradius - AIX Toolbox.
Hi, @SANKET RATHI
The part described in the blog works, but for them to be able to use Two-factor authentication (2FA) it is necessary to do some connectivity tests between AIX and the Radius Server (which runs on linux). Eventually there are firewall rules or other issues that prevent this connectivity from working. And in this case, for this tests to work, they need the radtest and radclient binaries, which are part of freeradius-server.
The package provided has basically 2 files:
$ rpm -ql freeradius-pam-2.0.0-1.ppc
/lib/security/pam_radius_auth.so
/opt/freeware/doc/freeradius-pam-2.0.0
/opt/freeware/doc/freeradius-pam-2.0.0/Changelog
/opt/freeware/doc/freeradius-pam-2.0.0/INSTALL
/opt/freeware/doc/freeradius-pam-2.0.0/LICENSE
/opt/freeware/doc/freeradius-pam-2.0.0/README.rst
/opt/freeware/doc/freeradius-pam-2.0.0/USAGE
/opt/freeware/etc/pam_radius.conf
So it would be very useful if the complete freeradius-server package could be made available due to the need to use these mentioned binaries and others that come with them.
------------------------------
Fabio Reis
Original Message:
Sent: Fri June 24, 2022 01:28 AM
From: SANKET RATHI
Subject: Freeradius - AIX Toolbox.
Hi @Fabio Reis was this blog followed to configure freeradius on AIX?
https://community.ibm.com/community/user/power/blogs/sriram-kucherlapati/2022/05/11/configure-freeradius-pam-client-on-aix?CommunityKey=10c1d831-47ee-4d92-a138-b03f7896f7c9
------------------------------
SANKET RATHI
Original Message:
Sent: Thu June 23, 2022 08:01 AM
From: Fabio Reis
Subject: Freeradius - AIX Toolbox.
Hi, @SANKET RATHI
I saw that freeradius-pam is now available on AIX toolbox. Customer noticed after the release of freeradius-pam that in order for them to be able to configure 2FA other packages are needed besides freeradius-pam, radtest and others more. It is possible to request the compilation and inclusion of all freeradius packages in AIX toolbox?
Thanks in advance.
------------------------------
Fabio Reis
Original Message:
Sent: Fri February 18, 2022 08:44 AM
From: SANKET RATHI
Subject: Freeradius - AIX Toolbox.
Thank you Andrey for replying and yes would like to get the view of customer on AIX implemented radius.
------------------------------
SANKET RATHI
Original Message:
Sent: Fri February 18, 2022 07:27 AM
From: Andrey Klyachkin
Subject: Freeradius - AIX Toolbox.
AIX has its own RADIUS implementation:
# installp -Ld . | grep -i RADIUS
radius.base:radius.base.rte:7.2.0.0::I:T:::::N:RADIUS Runtime ::::0:1543:
radius.base:radius.base.rte:7.2.3.15::S:T:::::N:RADIUS Runtime::::0:1845:
Would it suit for the customer's needs?
------------------------------
Andrey Klyachkin
https://www.power-devops.com
Original Message:
Sent: Thu February 17, 2022 12:39 PM
From: Fabio Cruz Dos Reis
Subject: Freeradius - AIX Toolbox.
Hi, Team.
An IBM Customer needs freeradius to test/enable 2FA on AIX servers, is it possible to add this package to the AIXToolbox?
Thank in advance.
------------------------------
Fabio Cruz Dos Reis
------------------------------