Yubico Forum
https://forum.yubico.com/

Adding a user with multiple YubiRADIUS instances
https://forum.yubico.com/viewtopic.php?f=29&t=1141
Page 1 of 1

Author:  kevbo [ Thu Aug 22, 2013 3:01 am ]
Post subject:  Adding a user with multiple YubiRADIUS instances

I'm using multiple YubiRADIUS servers using Synchronization.

I have a question about adding a new user to the system.

This is what I normally do:

1) Add the user to AD
2) Log into a YubiRADIUS
3) Click on the domain
4) Click on Users Import
5) Run the import process.

The issue is, when I do this on one YubiRADIUS box, and then log in to another one in my cluster, it doesn't show the new user.

So, I have questions:

1) Do I need to run the import users process on all instances by hand?
2) Do I need to assign the Yubikey to the user on all instances, or does that propagate across the cluster?
3) What happens if a user is accidentally assigned a key on one instance, before all of the instances have the user imported on them?

Kevin

Author:  samir [ Thu Aug 22, 2013 12:12 pm ]
Post subject:  Re: Adding a user with multiple YubiRADIUS instances

Hello,

1) Do I need to run the import users process on all instances by hand?

[Yubico]: You have to run the Users Import manually to each synchronized instance.

The YubiRADIUS has the basic synchronization for OTP and user-YubiKey mapping between the synchronized instances. The newly added users on AD can be added to all instances by setting automated periodical user imports to all instances. This can be done by configuring "Schedule" (Hourly, Daily, Weekly) under "Users Import" tab of all synchronized instances.

2) Do I need to assign the Yubikey to the user on all instances, or does that propagate across the cluster?

[Yubico]: YubiKey mapping will get synchronized automatically, no need to assign YubiKey to users on synchronized instances.

3) What happens if a user is accidentally assigned a key on one instance, before all of the instances have the user imported on them?

[Yubico]: It will get queued in the primary instance.

FYI,
YubiRADIUS has limited synchronization capabilities as of the current version (i.e. only the states required for user authentication are synchronized between instances but not the configuration). When Synchronization is enabled (after starting from a steady state), the state changes to the YK-Map and YK-VAL are synchronized between the configured instances. That means User-YubiKeys mapping and OTP validation part is getting synchronized amoung the synchronized instances. There is no synchronization for AD/LDAP Users Import, User-Password authentication, YubiKey Import etc. However, if new YubiKeys are provisioned the corresponding AES secrets must be manually imported (using "Import YubiKeys" tab in the UI) into each YubiRADIUS instance in the deployment (even if synchronization is enabled).

Ideally, if synchronization is correctly configured on all instances this should not happen. i.e. if you successfully assign a YubiKey to a user on one instance, the mapping should be reflected on all other synchronized instances. Please note, to verify this on other instances you may need to refresh the webmin UI screen on the other instances as the UI is not automatically refreshed.

Thanks and best regards,
Samir.

Author:  kevbo [ Thu Aug 22, 2013 12:36 pm ]
Post subject:  Re: Adding a user with multiple YubiRADIUS instances

Thank you for the information. I was just really concerned that there was a "race condition" between adding the users and assigning the key (because I regularly end up in a situation where I'm adding the users, but someone else at a different location is actually assigning the key, and it wasn't clear how synchronized the two of us needed to be.)

Thanks,

Kevin

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/