Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 10:18 am

All times are UTC + 1 hour




Post new topic Reply to topic  [ 2 posts ] 
Author Message
PostPosted: Tue Nov 05, 2013 11:40 pm 
Offline

Joined: Fri Oct 25, 2013 11:28 pm
Posts: 8
Can someone explain how synch works on Yubiradius?

If I have users on system A that have already authenticated once and have a yubikey assigned to them. Then I add Server B and import the users from ldap and then configure yubiradius to synch with A. Will it ever synchronize and update the users on Server B with the correct Yubikey information?

It seems to have synchronized a new user, but not existing users, which is why I ask how it works?

The other question I have is that the documentation seems to indicate port 80 is used for synch, but I'm not seeing anything hitting port 80 on my firewall, but it appears to be synchronizing, at least new key mapping information for users.

Any input would be appreciated. :P


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Wed Nov 06, 2013 10:10 am 
Offline
Yubico Team
Yubico Team

Joined: Mon Feb 22, 2010 9:49 am
Posts: 183
Hello,

The YubiRADIUS has the basic synchronization for OTP and user-YubiKey mapping between the synchronized instances. The newly added users on AD can be added to all instances by setting automated periodical user imports to all instances. This can be done by configuring "Schedule" (Hourly, Daily, Weekly) under "Users Import" tab of all synchronized instances. You have to run the Users Import manually to each synchronized instance.

YubiKey mapping will get synchronized automatically, no need to assign YubiKey to users on synchronized instances.

FYI,
YubiRADIUS has limited synchronization capabilities as of the current version (i.e. only the states required for user authentication are synchronized between instances but not the configuration). When Synchronization is enabled (after starting from a steady state), the state changes to the YK-Map and YK-VAL are synchronized between the configured instances. That means User-YubiKeys mapping and OTP validation part is getting synchronized amoung the synchronized instances. There is no synchronization for AD/LDAP Users Import, User-Password authentication, YubiKey Import etc. However, if new YubiKeys are provisioned the corresponding AES secrets must be manually imported (using "Import YubiKeys" tab in the UI) into each YubiRADIUS instance in the deployment (even if synchronization is enabled).

Ideally, if synchronization is correctly configured on all instances a successfully assigned YubiKey to a user on one instance should be reflected on all other synchronized instances. Please note, to verify this on other instances you may need to refresh the webmin UI screen on the other instances as the UI is not automatically refreshed.

The synchronization uses HTTP GET method for synchronization between synchronized instances.

Please note, the synchronization of YRVA will work only with identical YRVA instances.

Hope this helps!

Thanks and best regards,
Samir.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group