INTRODUCTION

This document provides instructions to implement multi-factor authentication to Ubuntu Linux with UPSSO RADIUS service.

PREREQUISITES

To integrate UPSSO with the Ubuntu, below are the prerequisites we need.

  • Administrator access to UPSSO Portal.

  • Ubuntu Version 16.04 and higher

NETWORK DIAGRAM - UBUNTU MULTI-FACTOR AUTHENTICATION USING UPSSO RADIUS

Here's the diagram explaining the multi-factor authentication implementation for Ubuntu Linux using UPSSO RADIUS service.

  1. User authenticated to the firewall using Ubuntu SSH.

  2. Ubuntu sends an authentication request to the UPSSO Radius server.

  3. UPSSO Radius server forwards the authentication request to the IDP server.

  4. IDP server checks the authentication request with enterprise LDAP or UPSSO directory.

  5. IDP sends the multi-factor token to be configured methods, like Google authenticator, SMS, or Email.

  6. Radius receives authorization accept or reject method from the IDP server.

  7. UPSSO Radius server confirms the Authentication request to the target device.

ADD RADIUS CLIENT IN UPSSO PORTAL

  1. Login to the UPSSO portal.

  2. Once logged in, go to Radius client Management Window.

3. Click on the new record to add a new client.

4. Enter the device name and IP address and secret for the device to authenticate with the RADIUS server—this secret used during the device radius configuration

CONFIGURING UBUNTU FOR RADIUS AUTHENTICATION

  1. Install required libraries using the following command 

sudo apt-get install libpam-radius-auth libpam0g-dev gcc
CODE

2. Edit the below file and ensure ChallengeResponseAuthentication yes is enabled and does not include a#

vi /etc/ssh/sshd_config
CODE

3. Make sure UsePAM set to yes

4. Edit the below file to enable authentication methods. Make sure the contents of the file as per the below screenshot.

vi /etc/pam.d/sshd
CODE

At the beginning of the file, add the below line as per the below screenshot.

auth    sufficient  pam_radius_auth.so
auth    required    pam_sepermit.so
auth    include     password-auth
CODE

5. Edit the following file and add the Radius Server IP address and shared secret (created in the portal), 

 vi /etc/pam_radius_auth.conf
CODE

NOTE : radius server ip address , secret key and timout values shouldnt be left blank.

 6. Make a directory for radius server DB by executing the below command.

mkdir /etc/raddb
CODE

7. Copy the pam_radius_auth.conf to server db

cp /etc/pam_radius_auth.conf /etc/raddb/server
CODE

8.  Restart the ssh services.

service ssh restart
CODE

LOGIN USING MFA

  1. Login to the server using your favorite ssh terminal.

2. Enter the username and password configured in the upsso portal.

3.Enter the MFA code received by email, SMS, or google authenticator.

4. Once authentication successful, you logged into the system.