Other RADIUS configurations

In the examples below we used an Active Directory domain environment.

Client Type - Client does not validate username and password

If you set Client Type to Client does not validate username and password when configuring a RADIUS client in ESA Management Tool, both factors (username and password as first factor, and OTP as second factor) are verified by ESA:

radius_config_client_doesnotvalidateunameandpwd

 

Afterward, in /etc/pam.d/sshd (or other integration), add the following line:

auth required /usr/lib/pam/pam_radius_auth.so

and comment (place a # tag at the beginning) all the other auth lines.


note

Verification required

The domain administrator must verify whether this scenario - specifically disabling all other modules - is suitable for their deployment.

 

In this case a SSH login process would look like this:

SMS delivery of OTP - at the first password attempt, the user is prompted for an AD password. At the second password attempt, they type their OTP.

pam-bothfactors-smsmobile-ssh

Other type of OTP (compound authentication) - the user must type both the AD password and OTP at the same time as ADpasswordOTP. For example if your AD password is Test and the received OTP is 123456, you would type Test123456.
pam-bothfactors-mobilecompound-ssh

Client Type - Client validates username and password

if you set Clien Type to Client validates username and password when configuring a RADIUS client in ESA Management Tool, then the first factor (username and password) is validated by the other PAM module:

radius_config_client_validatesunameandpwd

 

When configuring RADIUS in this manner, add the following line in /etc/pam.d/sshd (or the appropriate integration):

auth required /usr/lib/pam/pam_radius_auth.so force_prompt prompt=RADIUS

 

In this case a SSH login process would look like this:

prompts that start with the string Password: are handled by other PAM modules. Prompts that begin with the string RADIUS: are handled by our PAM module. See the argument 'prompt=RADIUS' in the sample code above

SMS - at the first prompt, a user must type their AD password. At the second prompt, they must type the text 'sms' (without apostrophes). At the third prompt, they must type their AD password. At the fourth prompt, they must type the received OTP

pam-secondfactor-sms-ssh

Other OTP type (OTP received via mobile application or a hard token) - type the AD password at the first attempt. At the second attempt, type the OTP.

pam-secondfactor-mobile-ssh