Mac OS - configuration

The steps below were performed on OS X - Yosemite 10.10.5.

important

Non-2FA users

If you enable 2FA protection using the instructions in this guide, then by default local users who do not belong to your AD domain will not be able to log in. To allow local users to log in even if 2FA protection is enabled, please follow the additional steps described in the topic of Other RADIUS configurations - see Non-2FA users (user accounts not using 2FA).

To deploy 2FA protection on your Mac computer, make sure your computer is joined to the Active Directory domain. You can configure it under System Preferences... > Users & Groups > Login Options. Click Join... next to Network Account Server by entering your Active Directory credentials.

PAM Authentication Module

1.Download PAM RADIUS tar.gz from http://freeradius.org/pam_radius_auth/

2.Build the .so library by executing the following commands in a terminal window:
 
./configure
make

3.Copy the built library to the PAM modules
 
cp pam_radius_auth.so /usr/lib/pam

On OS X El Capitan and later, this location is protected by System Integrity Protection. To use it, you have to disable it for the copy command.

4.Create a server configuration file named server at /etc/raddb/. In it, enter the details of the RADIUS server in the following form:
<radius server>:<port> <shared secret> <timeout in seconds>
 
For example:
1.1.1.1 test 30

See INSTALL for security recommendations for the configuration file and USAGE for parameters that can be passed to the library. For example you can use the 'debug' parameter to identify potential problems.

 
Incorporating the PAM module

PAM modules may be incorporated into various login types, for example, login, sshd, su, sudo and so on. The list of login types available is located at /etc/pam.d/ .

Modify the appropriate file in /etc/pam.d/ to incorporate the RADIUS PAM module to specific login types.

 

Incorporating the PAM module into SSH

To incorporate the PAM module into SSH, edit /etc/pam.d/sshd and add the following line at the end of the file:

auth required /usr/lib/pam/pam_radius_auth.so

Next, enable SSH in OS X. Under System Preferences... > Sharing, enable Remote Login.

 

Below is an example of SSH login via ESA (PAM module incorporated in /etc/pam.d/sshd):

PAM-challenge-ssh

 

Below is an example of sudo login via ESA (PAM module incorporated in /etc/pam.d/sudo):

PAM-challenge-sudo

 

Incorporating the PAM module into Desktop Logins

For Desktop login, we cannot use RADIUS Accept-Challenge like the VPN Type when configuring the RADIUS client in the ESA Management Tool. The RADIUS client configuration should be as shown in the VPN Type - VPN does not validate AD username and password section of the Other RADIUS configurations topic and the PAM module would be incorporated in the /etc/pam.d/authorization file.

Using these settings:

OTP is delivered via SMS - at the first password prompt a user must enter their AD password. At the second password prompt, they must enter their OTP.

PAM-ESA-Mac-login-SMS

Other type of OTP  (compound authentication) - enter both the AD password and OTP at once as ADpasswordOTP. For example if your AD password is Test and the received OTP is 123456, you would enter Test123456.

PAM-ESA-Mac-login-compound