Skip to main content

Linux PAM RADIUS (GUI)

Prerequisites

  • A Linux machine that:
    • Supports the PAM RADIUS package.
    • Has a display manager that supports PAM authentication.
  • A Windows machine running the Single Agent.

1. SecurEnvoy RADIUS Profile

  1. Go to Integration > Premesis and add a new RADIUS profile.
  2. Enter the RADIUS onfiguration settings:
    • Friendly name.
    • Server Port.
    • Assigned Agent.
    • The IP address of the Linux machine.
    • The Shared Secret for the RADIUS connection.
  3. (Optional) Enable the 'Message Authenticatior' and 'Brute Force Protection' options.
  4. Save the configuration.

2. PAM RADIUS Config

  1. On the Linux machine, install or build the 'libpam-radius-auth' package.
  2. Open the pam_radius_auth config file: sudo nano /etc/pam_radius_auth.conf.
  3. In the server section, comment out the example servers.
  4. On a new line in the server section, enter the IP address of the Single Agent, the shared secret, and a timeout of 20. Don't enter a source_ip or vrf.
# server[:port]     shared_secret       timeout (s)     source_ip      vrf
#127.0.0.1          secret              3
192.168.0.1         secretpassword      20
  1. Save and exit the file by pressing ctrl+x, then y.

3. GDM PAM Config

  1. On the Linux machine, open the pam config file for your display manager, in this case, GDM: sudo nano /etc/pam.d/gdm-password.
  2. On a new line in the first section of the file, add: auth sufficient pam_radius_auth.so.
  3. Save and exit the file by pressing ctrl+x, then y.
auth sufficient

If 'auth sufficient' is set in step 3.2 the PAM module will failover in the event of a radius connection failure and bypass MFA. Setting 'auth required' will prevent this but also prevent local accounts that do not exist in Access Management from logging in. It is recommended to have an alternative logon method for local accounts, or to have a domain user with sudo privileges.

TTY security

Because this method configures the display manager to use PAM, a user can bypass this by switching to a different TTY. To prevent this, apply the same change to /etc/pam.d/common-auth.

4. Test logging in with a user

  1. Log out and log in again as a domain user.
challenge not supported

Not all display managers are capable of displaying multiple prompts for password and OTP. This can be worked around by setting 'Challenge Not Supported' on the Security tab in the RADIUS profile. This will allow the password and OTP to be entered in the same field, however this also means that realtime codes can't be used.