Friday, February 10, 2012

Pam Radius (How to set RADIUS client for Linux)

1. install gcc and pam-devel

yum install -y gcc pam-devel

2. download pam_radius

tar xfz pam_radius-1.3.17.tar.gz 

3. compile

cd pam_radius-1.3.17

4. copy shared library

cp /lib/security/

5. edit sshd

vi /etc/pam.d/sshd

Go to the first line of the file, paste this line:

auth        sufficient     /lib/security/

Note. The “sufficient” tag indicates that if the Radius authentication succeeds then no additional authentication will be required. However, if the Radius authentication fails, a username and password from the system will work. Use "Required" to require strong authentication.

6. Edit or create your /etc/raddb/server file

vi /etc/raddb/server
--------//---------       secret      1
routableIPaddress      shared_secret      1

7. From Radius server, create account and add the client to allow to access radius

8. From linux client, add user with no password
userpadd user1

9. Test with ssh to the linux client

-------- radius packet --------
radius server :
radius client :

# tcpdump -nni eth0 host and port 1812
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
22:30:00.499762 IP > RADIUS, Access Request (1), id: 0xfe length: 86
22:30:00.507723 IP > RADIUS, Access Accept (2), id: 0xfe length: 82