FreeRADIUS PAM

By integrating the Server Suite Authentication Service with the FreeRADIUS PAM module, you can enhance your authentication process. This setup allows you to use RADIUS for secure network access, making it easier to implement multi-factor authentication methods.

To integrate the Server Suite Authentication Service with the FreeRADIUS PAM module, ensure you have the following prerequisites: 

  • Install Server Suite on your system.

  • Install and configure a RADIUS Server, either on the same machine or a separate one. For the FreeRADIUS project, see https://freeradius.org/.

    • This guide demonstrates how to configure the Server Suite Authentication Service to authenticate against the Active Directory password first and then against the RADIUS server. This enables multi-factor authentication, enhancing security for your systems.

Installing the FreeRADIUS PAM Module

To integrate the Server Suite Authentication Service with RADIUS, you must install the FreeRADIUS PAM module, which enables secure authentication for your systems.

To install the FreeRADIUS PAM Module, complete the following steps:

  1. Install the FreeRADIUS PAM module.

    1. Build your own package from the source available at https://freeradius.org/sub_projects/.

    2. Or, use your operating system's package manager. For example, on Ubuntu, run: 

      Copy 
      sudo apt-get install libpam-radius-auth

  2. Configure the FreeRADIUS PAM module: 

    1. Open the configuration file /etc/pam_radius_auth.conf with a text editor.

    2. Specify the RADIUS server IP address, shared secret, and timeout.

    3. Add a line in the following format: 

      Copy 
      127.0.0.1   testing123   30

    4. Replace '127.0.0.1' with your RADIUS server's IP address, 'testing123' with your shared secret, and '30' with your desired timeout in seconds.

Configuring FreeRADIUS PAM for Zone-Based Roles and Command Rights

Modify the affected role definitions to require multi-factor authentication for the users you want to use RADIUS authentication for login. For commands where you want users to use RADIUS authentication, configure the command right for re-authentication using multi-factor authentication.

To configure FreeRADIUS PAM for use with Server Suite zone-based role definitions and command rights, complete the following steps: 

  1. Configure your role definitions to use multi-factor authentication in Access Manager.

    1. Locate the role definitions requiring RADIUS authentication. Navigate to your zone, then Authorization > Role Definitions.

    2. Select the rights definition in the right pane.

    3. Right-click each role definition and select Properties.

    4. Click the Authentication tab.

    5. Select Require multi-factor authentication for login.

    6. Click OK to save the changes.

  2. Configure command rights definitions for RADIUS authentication in Access Manager.

    1. Locate the command rights definitions requiring RADIUS authentication. Navigate to your zone, then AuthorizationUNIX Right DefinitionsCommands.

    2. Select the rights definition in the right pane.

    3. Right-click each command right and select Properties.

    4. Click the Attributes tab.

    5. Select Re-authenticate current user.

    6. Select Require multi-factor authentication.

    7. Click OK to save the changes.

  3. Install the Server Suite agent for *NIX on the UNIX or Linux computer where users will use RADIUS authentication.

  4. On the target Linux or UNIX computer, locate the pam_centrifydc_cloud.so file.

  5. Rename the pam_centrifydc_cloud.so file.

  6. Create a symlink for the pam_centrifydc_cloud.so file to point to the pam_radius_auth.so file.

  7. Confirm the following configuration is set correctly in the sshd_config:

    Copy 
    KbdInteractiveAuthentication Yes

  8. Add RADIUS server ports to the RouteCheck port list in centrifydc.conf:

    Copy 
    dns.route.check.port: 88 445 135 1812 1813

Keep ports 88, 445, and 135 as they are used by Authentication Service.

Verifying the Installation

To ensure everything works smoothly, you need to verify the installation of RADIUS authentication for UNIX users. This confirms that the authentication policy is set up correctly and that users can log in without issues.

To verify the installation of RADIUS authentication, complete the following steps: 

  1. Configure a UNIX user on the RADIUS server to use a specific authentication policy.

  2. Run the radtest command to verify that user authentication works.

  3. Create a UNIX profile in Access Manager for a user in the zone where you joined the UNIX machine. Use the same UNIX name as the user you configured in step 1.

  4. Log in to the UNIX computer with the new user. Enter the Active Directory password to authenticate against the RADIUS server.