Show Table of Contents
Chapter 52. Authentication and Interoperability
RADIUS proxy functionality is now also available in IdM running in FIPS mode
In FIPS mode, OpenSSL disables the use of the MD5 digest algorithm by default. Consequently, because the RADIUS protocol requires MD5 to encrypt a secret between the RADIUS client and the RADIUS server, the unavailability of MD5 in FIPS mode causes the RHEL Identity Management (IdM) RADIUS proxy server to fail.
If the RADIUS server is running on the same host as the IdM master, you can work around the problem and enable MD5 within the secure perimeter.
To do that, create a file /etc/systemd/system/radiusd.service.d/ipa-otp.conf with the following content:
# /etc/systemd/system/radiusd.service.d/ipa-otp.conf [Service] Environment=OPENSSL_FIPS_NON_APPROVED_MD5_ALLOW=1
To apply the change, reload the
systemd configuration:
# systemctl daemon-reload
and start the
radiusd service:
# systemctl start radiusd
The configuration of the RADIUS proxy requires the use of a common secret between the client and the server to wrap credentials. Specify this secret in the configuration of the RADIUS proxy in RHEL IdM using the command line interface (CLI) or web UI. To do it in the CLI:
# ipa radiusproxy-add name_of_your_proxy_server --secret your_secret
(BZ#1571754)
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.