[colug-432] Radius and FreeIPA
R P Herrold
herrold at owlriver.com
Mon Mar 30 11:14:11 EDT 2015
at the COLUG meeting last week, I mentioned that I ran several
Radius servers (and have since the Cistron, NL days) back in
the cutover days, with freeradius, I participated in their
mailing list as well, but as it is a complete and mature
implementation, I eventually unsubscribed
I discussed with another list member his work with a customer,
getting some sub 100 millisecond failover handling into the
version shipped by RHEL, and it is an interesting story in its
own right. I have encouraged him to write it up
As to FreeIPA, which I mentioned I see a rather nice blog post
after the meeting, at:
http://rhelblog.redhat.com/2015/03/25/ten-new-identity-management-idm-features-in-red-hat-enterprise-linux-7-1/
which has as its first pull item:
as nearly every [] technology supports the
RADIUS authentication protocol, we provide a way to proxy OTP
requests to [] RADIUS servers
and indeed, I more than one radius server for
compartmentalized OTP purposes. By and large, a single radius
server CAN handle umltiple authenticaltion 'realms' but in the
case of different OTP service consuming customers, and for
greater security and resistance to cross-program exploits, it
is really much safer to isolate an OTP provider into its own
small and well-controlled 'container' -- such paramoia is not
unique; the design of a certificate authority 'signer
keystore' has similar isolation needs
-- Russ herrold
More information about the colug-432
mailing list