Friday, February 10, 2012

Pam Radius (How to set RADIUS client for Linux)


1. install gcc and pam-devel

yum install -y gcc pam-devel

2. download pam_radius

wget ftp://ftp.freeradius.org/pub/radius/pam_radius-1.3.17.tar.gz
tar xfz pam_radius-1.3.17.tar.gz 

3. compile

cd pam_radius-1.3.17
make

4. copy shared library

cp pam_radius_auth.so /lib/security/

5. edit sshd

vi /etc/pam.d/sshd

Go to the first line of the file, paste this line:

auth        sufficient     /lib/security/pam_radius_auth.so

Note. The “sufficient” tag indicates that if the Radius authentication succeeds then no additional authentication will be required. However, if the Radius authentication fails, a username and password from the system will work. Use "Required" to require strong authentication.

6. Edit or create your /etc/raddb/server file

vi /etc/raddb/server
--------//---------
127.0.0.1       secret      1
routableIPaddress      shared_secret      1
--------//---------

7. From Radius server, create account and add the client to allow to access radius

8. From linux client, add user with no password
userpadd user1

9. Test with ssh to the linux client

-------- radius packet --------
radius server : 10.10.1.122:1812
radius client : 10.10.1.123

# tcpdump -nni eth0 host 10.10.1.122 and port 1812
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
22:30:00.499762 IP 10.10.1.123.3902 > 10.10.1.122.1812: RADIUS, Access Request (1), id: 0xfe length: 86
22:30:00.507723 IP 10.10.1.122.1812 > 10.10.1.123.3902: RADIUS, Access Accept (2), id: 0xfe length: 82