PAM Radius Config

D

dipdill

Ok new problem today. I'm being asked to connect all of my FreeBSD 11.0 Servers to a radius server for ssh. I have created the /etc/radius.conf file and added my servers both auth and acct lines with the secret.

Code: 
auth server1.f.q.d.n secret
acct server1.f.q.d.n secret

I have modified my /etc/pam.d/sshd file and just added the pam_radius.so to the sections.

Code: 
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
auth            sufficient      pam_radius.so           
auth            required        pam_unix.so             no_warn try_first_pass

account         sufficient      pam_radius.so
account         required        pam_nologin.so
account         required        pam_login_access.so
account         required        pam_unix.so

session         required        pam_permit.so

password        sufficient      pam_radius.so           
password        required        pam_unix.so             no_warn try_first_pass

I then restart my sshd service and try to login.

When using root account... I can still access the box no problem.

I do see it gets a radius rejection in the login process for root.

Code: 
login as: root
Using keyboard-interactive authentication.
RADIUS Password:
Radius rejection
Last login: Wed Jun 28 09:31:42 2017 from a.b.c.d
FreeBSD 11.0-RELEASE-p9 (GENERIC) #0: Tue Apr 11 08:48:40 UTC 2017

When I try and login using my radius credentials if just keeps telling me Radius rejection and drops me back to a password prompt. The only message I see in the /var/log/security file is

Code: 
Jun 28 09:51:26 servername sshd[15248]: in openpam_dispatch(): /usr/lib/pam_radius.so.6: no pam_sm_acct_mgmt()

Is there something else I need to add/remove to/from the sshd file to make this work? I have never needed to use radius before. And no I do not have access to the Radius servers... that is controlled by the IT department.

Thanks
 
The user needs to exist on FreeBSD, RADIUS only takes care of the authentication.

Code: 
     template_user=username
                 specifies a user whose passwd(5) entry will be used as a tem-
                 plate to create the session environment if the supplied user-
                 name does not exist in local password database.  The user
                 will be authenticated with the supplied username and pass-
                 word, but his credentials to the system will be presented as
                 the ones for username, i.e., his login class, home directory,
                 resource limits, etc. will be set to ones defined for
                 username.

                 [b]If this option is omitted, and there is no username in the
                 system databases equal to the supplied one (as determined by
                 call to getpwnam(3)), the authentication will fail.[/b]
 
OK I created a user on the box: radiustemplate

I modified the /etc/pam.d/sshd: auth sufficient pam_radius.so template_user=radiustemplate

restarted sshd service

Tried to login and still get a rejection from the radius server. Any other thoughts?

Thanks
 
If the RADIUS server is rejecting it the username/password isn't correct. That's all it does, check the username/password. If the RADIUS server accepts the username/password but you're not able to login the issue is on the FreeBSD client. Check /var/log/auth.log for issues. Perhaps it's a local permission issue.
 
So having a user on the box that matches the radius login work... using the user radiustemplate that I created for the pam_radius.so option template_user=radiustemplate... does not. So i guess i will just be creating users on the box instead of using the template. Thanks
 
You must log in or register to reply here.
Back
Top