RADIUS PAM modules on Linux/Mac

Linux/Mac machines can use ESA for 2FA by implementing a Pluggable Authentication Module (PAM), which will serve as a RADIUS client communicating with the ESA RADIUS server.

In general, any service using RADIUS can be configured to use the ESA RADIUS server.

PAM is a set of C dynamic libraries (.so) used for adding custom layers to the authentication process. They may perform additional checks and subsequently allow/deny access. In this case, we use a PAM module to ask the user for an OTP on a Linux or Mac computer joined to an Active Directory domain and verify it against an ESA RADIUS server.

The PAM Authentication and Accounting module by FreeRADIUS is used in this guide. Other RADIUS PAM clients can be used as well.

Basic configuration described here will use the Access-Challenge feature of RADIUS that is supported by both ESA RADIUS server and the used RADIUS PAM client. There are other options that do not use the Access-Challenge method briefly described in Other RADIUS configurations section of this manual.



First, configure the Linux/Mac RADIUS client in ESA Web Console. Type the IP address of your Linux/Mac computer in the IP Address field. Select Client does not validate user name and password - use Access-Challenge from the Client Type drop-down menu.

Once you complete these steps, configure your Linux or Mac computer based on the instructions in the following sub-chapters.