PAM to RADIUS Authentication Module
Starting in v8.5, Endpoint Privilege Management for Unix and Linux includes a PAM module (pam_radius_auth) to support authentication against a configured RADIUS server. The module allows Endpoint Privilege Management for Unix and Linux to act as a RADIUS client for authentication and accounting requests.
You must have a RADIUS server already installed and configured before using this module. Your RADIUS server must also have the Endpoint Privilege Management for Unix and Linux host requesting authentication already defined as a RADIUS client.
To configure Endpoint Privilege Management for Unix and Linux to use pam_radius_auth, perform the following steps.
- Locate the PAM to RADIUS Authentication Module:
Upon installation, the PAM module (pam_radius_auth) can be found in /usr/lib/beyondtrust/pb. It may be copied to a custom location or the system’s default PAM module directory (for example, /lib/security or/usr/lib/security).
- Configure the PAM configuration to use pam_radius_auth:
Configure a PAM configuration file for pam_radius_auth which would define a service stack using the pam_ radius_auth module. For most Unix operating systems, it can be added in /etc/pam.conf. On Linux, it is a separate file in /etc/pam.d directory. The service name defined here may be used in the PAM-related Endpoint Privilege Management for Unix and Linux settings keyword, policy functions, and variables.
/etc/pam.d/pbul_pam_radius: #task control module auth required pam_radius_auth.so account required pam_radius_auth.so password required pam_radius_auth.so
- Create/locate the pam_radius_auth configuration file:
The pam_radius_auth configuration file identifies the RADIUS server(s) that performs the authentication. By default, the pam_radius_auth configuration file is /etc/raddb/server. You can use a different path/filename and use the module option field in the PAM config file to specify the location:
/etc/pam.d/pbul_pam_radius: auth required pam_radius_auth.so conf=<filepathname>
- Set up the pam_radius_auth configuration file:
Edit the pam_radius_auth configuration file and add a line that represents your RADIUS server using this format:
server[:port] shared_secret [timeout]
server | Required. RADIUS server name or IP address. |
port | Optional. Specify if the port name or number if different from the defined radius port name in /etc/services. |
shared_secret | Required. The authentication key defined in the client configuration file for this host on the RADIUS server. |
timeout | Optional. The number of seconds the module waits before deciding that the server has failed to respond. The default timeout is 3 seconds. |
216.27.61.130:1812 secretCnz9CkUtIeHqtCya89LzPTJEq0VnLCNA2SB9KWhIoSnC 10
- Set up Endpoint Privilege Management for Unix and Linux to use the pam_radius_auth module.
For more information on using the services defined here, see Pluggable Authentication Modules.