Radius Authentication

Todor Genov todor.genov at za.verizonbusiness.com
Thu Oct 16 18:06:38 PDT 2008 

Hi Matt,


The three important steps here are as follows:

1.) Confirm that authentication against the RADIUS server succeeds using
any command line RADIUS util.

2.) configure /etc/radius.conf as per "man pam_radius" and man "radius.conf"

3.) Add a user on the FreeBSD machine whose name corresponds with the
Windows domain account (if the name contains spaces then refer to the
pre-Windows2000 compatible username in AD). This is mandatory as
pam_radius is only used for authentication. UID, GID, home dir and all
*nix relevant account parameters are still retrieved from the local user
database.

 An alternative to step 3 would be to use the template_user option in
radius.conf, but this means that all your Windows users will appear to
the system with same UID/GID as the template_user.


MattAD wrote:
> I would just like to know if anyone on earth has been able to get the
> pam_radius module working on FreeBSD, using a windows domain username
> through ssh... ??? This has become a mystery to me. My /etc/pam.d/sshd
> config looks like so:  
> 
> #
> # $FreeBSD: src/etc/pam.d/sshd,v 1.16 2007/06/10 18:57:20 yar Exp $
> #
> # PAM configuration for the "sshd" service
> #
> 
> # auth
> auth            required        pam_nologin.so          no_warn
> auth            sufficient      pam_opie.so             no_warn
> no_fake_prompts
> auth            requisite       pam_opieaccess.so       no_warn allow_local
> auth            sufficient      pam_radius.so           no_warn
> try_first_pass
> #auth           sufficient      pam_krb5.so             no_warn
> try_first_pass
> #auth           sufficient      pam_ssh.so              no_warn
> try_first_pass
> auth            sufficient      pam_unix.so             no_warn
> try_first_pass
> 
> # account
> account         required        pam_nologin.so
> #account        required        pam_krb5.so
> account         required        pam_login_access.so
> account         required        pam_unix.so
> 
> # session
> #session        optional        pam_ssh.so
> session         required        pam_permit.so
> 
> # password
> #password       sufficient      pam_krb5.so             no_warn
> try_first_pass
> password        required        pam_unix.so             no_warn
> try_first_pass
> 
> 
> :confused:

-- 
Regards,

Todor Genov
Systems Operations

Verizon Business South Africa (Pty) Ltd

todor.genov at za.verizonbusiness.com
Tel: +27 11 235 6500
Fax: 086 692 0543

More information about the freebsd-questions mailing list