PAM to RADIUS Authentication Module

Starting in v8.5, Privilege Management for Unix and Linux includes a PAM module (pam_radius_auth) to support authentication against a configured RADIUS server. The module allows Privilege Management for Unix and Linux to act as a RADIUS client for authentication and accounting requests.

You must have a RADIUS server already installed and configured before using this module. Your RADIUS server must also have the Privilege Management for Unix and Linux host requesting authentication already defined as a RADIUS client.

To configure Privilege Management for Unix and Linux to use pam_radius_auth, perform the following steps.

  1. Locate the PAM to RADIUS Authentication Module:
  2. Upon installation, the PAM module (pam_radius_auth) can be found in /usr/lib/beyondtrust/pb. It may be copied to a custom location or the system’s default PAM module directory (for example, /lib/security or/usr/lib/security).

  1. Configure the PAM configuration to use pam_radius_auth:
  2. Configure a PAM configuration file for pam_radius_auth which would define a service stack using the pam_ radius_auth module. For most Unix operating systems, it can be added in /etc/pam.conf. On Linux, it is a separate file in /etc/pam.d directory. The service name defined here may be used in the PAM-related Privilege Management for Unix and Linux settings keyword, policy functions, and variables.

    #task control module
    auth required
    account required
    password required
  1. Create/locate the pam_radius_auth configuration file:
  2. The pam_radius_auth configuration file identifies the RADIUS server(s) that performs the authentication. By default, the pam_radius_auth configuration file is /etc/raddb/server. You can use a different path/filename and use the module option field in the PAM config file to specify the location:

    auth required conf=<filepathname>
  1. Set up the pam_radius_auth configuration file:
  2. Edit the pam_radius_auth configuration file and add a line that represents your RADIUS server using this format:

    server[:port] shared_secret [timeout]
server Required. RADIUS server name or IP address.
port Optional. Specify if the port name or number if different from the defined radius port name in /etc/services.
shared_secret Required. The authentication key defined in the client configuration file for this host on the RADIUS server.
timeout Optional. The number of seconds the module waits before deciding that the server has failed to respond. The default timeout is 3 seconds. secretCnz9CkUtIeHqtCya89LzPTJEq0VnLCNA2SB9KWhIoSnC 10
  1. Set up Privilege Management for Unix and Linux to use the pam_radius_auth module.

For more information on using the services defined here, please see Pluggable Authentication Modules.