INTRODUCTION

This document provides instructions to configure multi-factor authentication to RedHat Linux server with UPSSO Radius service.

PREREQUISITES

To integrate UPSSO with the RedHat, below are the prerequisites we need.

  • Administrator access to UPSSO Portal.

  • RedHat Version 6.X and higher

REDHAT MULTI-FACTOR AUTHENTICATION USING UPSSO NETWORK DIAGRAM

  1. User authenticated to the OS using RedHat SSH.

  2. RedHat sends an authentication request to the UPSSO Radius server.

  3. UPSSO Radius server forwards the authentication request to the IDP server.

  4. IDP server checks the authentication request with enterprise LDAP or UPSSO directory.

  5. IDP sends the multi-factor token to be configured methods, like Google authenticator, SMS, or Email.

  6. Radius receives authorization accept or reject method from the IDP server.

  7. UPSSO Radius server confirms the Authentication request to the target device.

ADD RADIUS CLIENT IN UPSSO PORTAL

  1. Login to the UPSSO portal.

  2. Once login, go to Radius client's section.

3. Click on the new record to add a new client.

4. Enter the device name and IP address and secret for the device to authenticate with the RADIUS server this secret used during the device radius configuration.

CONFIGURING REDHAT FOR RADIUS AUTHENTICATION

  1. Install required libraries using the following command

sudo yum install gcc pam pam-devel make -y
CODE

2. Install free radius client by following the below commands.

cd /usr/src
sudo yum install wget
sudo wget ftp://ftp.freeradius.org/pub/radius/pam_radius-1.4.0.tar.gz
sudo tar xvzf pam_radius-1.4.0.tar.gz 
cd pam_radius-1.4.0
sudo ./configure
sudo make
CODE

3. Identify the Linux architecture by the following command. i386 and i686 are both 32-bit. x86_64 is 64-bit.

uname -m
CODE

4. case of a 32-bit operating system, use the below command to copy the file.

cp pam_radius_auth.so /lib/security/
CODE

5. In case of a 64-bit operating system, use the below command to copy the file.

cp pam_radius_auth.so /lib64/security/
CODE

6. Edit the below file and ensure ChallengeResponseAuthenticationyes is enabled and does not include a #

sudo vim /etc/ssh/sshd_config
CODE

7. Make sure UsePAM set to yes

8. Edit the below file to enable authentication methods. Make sure the contents of the file as per the below screenshot.

sudo vim /etc/pam.d/sshd
CODE

In the below screenshot, I have replaced the line 2 with the below line to send the user authentication using the radius server. Edit the line according to your organization's authentication flow.

auth            required                    pam_radius_auth.so
CODE

9. Create a directory to store the radius server configuration using the following command.

sudo mkdir /etc/raddb
CODE

10. Create a new file using the below command.

sudo vim /etc/raddb/server
CODE

11. Add the below contents as per the below screenshot. Replace the server IP with your UPSSO Radius server IP and Secret we have created in the UPSSO portal.

#Server         Secret    Timeout
192.168.4.113    123     60
CODE

12. Create a user in the Linux server using the following command.

13. Set a strong password for the user; however, this password not be used during the authentication process.

14. Restart ssh service using the following command.

systemctl restart sshd
CODE

LOGIN USING MFA

  1. Login to the server using your favorite ssh terminal.

2. Enter the username and password configured in the upsso portal.

3. Enter the MFA code received by email, SMS, or google authenticator.

4.Once authentication successful, you logged into the system.