PAM Radius Config

Ok new problem today. I'm being asked to connect all of my FreeBSD 11.0 Servers to a radius server for ssh. I have created the /etc/radius.conf file and added my servers both auth and acct lines with the secret.

auth server1.f.q.d.n secret
acct server1.f.q.d.n secret

I have modified my /etc/pam.d/sshd file and just added the to the sections.

auth            sufficient             no_warn no_fake_prompts
auth            requisite       no_warn allow_local
auth            sufficient           
auth            required             no_warn try_first_pass

account         sufficient
account         required
account         required
account         required

session         required

password        sufficient           
password        required             no_warn try_first_pass

I then restart my sshd service and try to login.

When using root account... I can still access the box no problem.

I do see it gets a radius rejection in the login process for root.

login as: root
Using keyboard-interactive authentication.
RADIUS Password:
Radius rejection
Last login: Wed Jun 28 09:31:42 2017 from a.b.c.d
FreeBSD 11.0-RELEASE-p9 (GENERIC) #0: Tue Apr 11 08:48:40 UTC 2017

When I try and login using my radius credentials if just keeps telling me Radius rejection and drops me back to a password prompt. The only message I see in the /var/log/security file is

Jun 28 09:51:26 servername sshd[15248]: in openpam_dispatch(): /usr/lib/ no pam_sm_acct_mgmt()

Is there something else I need to add/remove to/from the sshd file to make this work? I have never needed to use radius before. And no I do not have access to the Radius servers... that is controlled by the IT department.

The user needs to exist on FreeBSD, RADIUS only takes care of the authentication.

                 specifies a user whose passwd(5) entry will be used as a tem-
                 plate to create the session environment if the supplied user-
                 name does not exist in local password database.  The user
                 will be authenticated with the supplied username and pass-
                 word, but his credentials to the system will be presented as
                 the ones for username, i.e., his login class, home directory,
                 resource limits, etc. will be set to ones defined for

                 [b]If this option is omitted, and there is no username in the
                 system databases equal to the supplied one (as determined by
                 call to getpwnam(3)), the authentication will fail.[/b]
OK I created a user on the box: radiustemplate

I modified the /etc/pam.d/sshd: auth sufficient template_user=radiustemplate

restarted sshd service

Tried to login and still get a rejection from the radius server. Any other thoughts?

If the RADIUS server is rejecting it the username/password isn't correct. That's all it does, check the username/password. If the RADIUS server accepts the username/password but you're not able to login the issue is on the FreeBSD client. Check /var/log/auth.log for issues. Perhaps it's a local permission issue.
So having a user on the box that matches the radius login work... using the user radiustemplate that I created for the option template_user=radiustemplate... does not. So i guess i will just be creating users on the box instead of using the template. Thanks