Tag Archives: pam_radius

Authenticating users with freeradius on Centos

You may want to authenticate users with radius at some point, perhaps your backend stores all your users there, perhaps you do not want to login to many boxes to change password for same user, I will describe here how to authenticate users with almost any service.

First setup some repository depending on if your running 64 bit or not:
#64 Bit

rpm -Uvh http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-7.noarch.rpm

#32 Bit

rpm -Uvh http://download.fedoraproject.org/pub/epel/6/i386/epel-release-6-7.noarch.rpm

Install it and configure it:

yum install pam_radius
alias pico='nano -w'
pico /etc/pam_radius.conf

Setup your radius details here
#server[:port] shared_secret timeout (s)
127.0.0.1 your_radius_secret_password 3

Add radius authentication to SSH

cd /etc/pam.d
pico sshd

#now for any users you want to authenticate, just toss following line as second line in any service
auth sufficient pam_radius_auth.so debug

Just open any file and edit it and its authenticating off radius
IMPORTANT NOTE: Do NOT think you can just add users to radius and login, you must actually create the user first! This is not LDAP, we are simply just providing another place to store passwords for users, nothing more, you can lockout the account on the system and still login with users radius passsword.

To add a user is simple as : adduser username
Delete a user just as simple : userdel -r username

Verify everything is ok:

ssh -l radius_user localhost 
exit
tail -100 /var/log/secure

You hopefully see something as follows:
pam_radius_auth: Got RADIUS response code 2

Exactly what we want, response code 2 from radius is Accept-Accept, so we typed in right password and should have been logged in.

Try some other services, pop open dovecot for instance:

pico /etc/pam.d/dovecot (add the same line)
telnet localhost 110
user radius_user
pass radius_pass
retr 1

You can do this for all your services,

Until Next Time,

SunSaturn.com