Note: This integration does not support the use of Push. You will need to use OTP.
Setting up MFA for RADIUS is a requirement for this integration. Please see this article for more information.
Run apt-get install libpam-radius-auth to install the PAM Radius Authentication Module (pam_radius_auth).
Configure sshd for RADIUS Authentication by editing /etc/pam.d/sshd and adding the following line as the second line of the file:
|auth required /lib/security/pam_radius_auth.so|
Note: If you need more verbose output, you can add the word debug to this line so that it reads:
|auth required /lib/security/pam_radius_auth.so debug|
You may also need to comment out the following line so that the system does not attempt to authenticate via standard Un*x password authentication even after a successful RADIUS Authentication.
Edit the file /etc/pam_radius_auth.conf (/etc/raddb/server on some systems) and under the line:
|127.0.0.1 secret 1|
Add the line:
|IP_address(:port) shared_secret timeout|
Where IP_address is the IP address (and port, if using a RADIUS port other than the port defined in /etc/services) of your RADIUS server, shared_secret is the shared secret and timeout is the timeout value in seconds.
Run /etc/init.d/ssh restart to restart the SSH daemon.
Log into the system via SSH and when it prompts for a username and password, enter your username in the username field and your MFA token in the password field.
Note: This configuration only protects SSH. A console logon or graphical logon will still use the regular Linux password only. Due to the configurable nature of PAM, authentication for any login method can be strengthened by editing the appropriate configuration files.
For assistance with other configurations, including manually building and configuring the module, check out FreeRADIUS.org’s usage guide for the PAM Authentication and Accounting module.This guide includes a sample configuration file for other configurations, as well as other usage instructions.