:orphan:

********************************
Ubuntu 20 LTS RADIUS Integration
********************************

Overview
========

This article describes the steps needed to integrate Ubuntu logins with RADIUS using RADIUS PAM libraries.



Install RADIUS and PAM Libraries in Ubuntu
==========================================

.. code-block:: none

 sudo apt-get update;
 sudo apt-get install freeradius freeradius-utils freeradius-mysql libpam-radius-auth;




Setup RADIUS in Ubuntu
======================

.. code-block:: none

 sudo vi /etc/pam_radius_auth.conf;

Add the following lines to the new file:

.. code-block:: none

 # SwivelServerIP     Shared Secret       Timeout
 192.168.209.35       secret              60

Then copy the RADIUS server profile to a new file, /etc/raddb/server:

.. code-block:: none

 sudo mkdir /etc/raddb;
 sudo cp /etc/pam_radius_auth.conf /etc/raddb/server;

Setup a RADIUS NAS entry on the Swivel server
=============================================

.. image:: images/Integration/RADIUS/Ubuntu/2020-12-09_16-49-57.jpg

Use the following settings for a Two Stage Password, then OTC request. Other configurations are available, e.g. Push:

.. image:: images/Integration/RADIUS/Ubuntu/Screenshot_2020-12-09_Sentry_Configuration.png

Enable PAM RADIUS on SSH daemon in Ubuntu
=========================================

This will just affect SSHD logins. Example login:

.. image:: images/Integration/RADIUS/Ubuntu/2020-12-09_17-09-10.gif

Open sshd_config for editing:

.. code-block:: none

 sudo vi /etc/ssh/sshd_config

Modify the existing parameters:

.. code-block:: none

 ChallengeResponseAuthentication yes
 UsePAM yes

Save and close the file.

Open the pam.d sshd config file for editing:

.. code-block:: none

 sudo vi /etc/pam.d/sshd

Make the following modifications. Add the following line:

.. code-block:: none

 auth    sufficient      pam_radius_auth.so

..and comment out the @include common-auth line:

.. code-block:: none

 #@include common-auth

Which should look something like this:

.. code-block:: none

 # PAM configuration for the Secure Shell service
 auth    sufficient      pam_radius_auth.so
 # Standard Un*x authentication.
 #@include common-auth
 # Disallow non-root logins when /etc/nologin exists.
 account    required     pam_nologin.so

Restart the SSHD service:

.. code-block:: none

 sudo service ssh restart

Enable PAM RADIUS on all credential prompts in Ubuntu
=====================================================

This will affect sudo and desktop logins. Example login:

.. image:: images/Integration/RADIUS/Ubuntu/2020-12-09_17-07-18.gif

Open the pam.d common-auth config file for editing:

.. code-block:: none

 sudo vim /etc/pam.d/common-auth

Append the following line to the file:

.. code-block:: none

 auth    required                        /usr/lib/security/pam_radius_auth.so

Known Issues
============

.. WARNING::
	In the above example, Two Stage RADIUS will transmit the password via UDP protocol with MD5 encoding. Also on the Linux host, PAM RADIUS has publicly known memory leak issues which may be considered a security risk.