This document provides instructions to implement multi-factor authentication to Ubuntu Linux with UPSSO RADIUS service.
To integrate UPSSO with the Ubuntu, below are the prerequisites we need.
Administrator access to UPSSO Portal.
Ubuntu Version 16.04 and higher
NETWORK DIAGRAM - UBUNTU MULTI-FACTOR AUTHENTICATION USING UPSSO RADIUS
Here's the diagram explaining the multi-factor authentication implementation for Ubuntu Linux using UPSSO RADIUS service.
User authenticated to the firewall using Ubuntu SSH.
Ubuntu sends an authentication request to the UPSSO Radius server.
UPSSO Radius server forwards the authentication request to the IDP server.
IDP server checks the authentication request with enterprise LDAP or UPSSO directory.
IDP sends the multi-factor token to be configured methods, like Google authenticator, SMS, or Email.
Radius receives authorization accept or reject method from the IDP server.
UPSSO Radius server confirms the Authentication request to the target device.
ADD RADIUS CLIENT IN UPSSO PORTAL
Login to the UPSSO portal.
Once logged in, go to Radius client Management Window.
3. Click on the new record to add a new client.
4. Enter the device name and IP address and secret for the device to authenticate with the RADIUS server—this secret used during the device radius configuration
CONFIGURING UBUNTU FOR RADIUS AUTHENTICATION
Install required libraries using the following command
sudo apt-get install libpam-radius-auth libpam0g-dev gcc
2. Edit the below file and ensure ChallengeResponseAuthentication yes is enabled and does not include a#
3. Make sure UsePAM set to yes
4. Edit the below file to enable authentication methods. Make sure the contents of the file as per the below screenshot.
At the beginning of the file, add the below line as per the below screenshot.
auth sufficient pam_radius_auth.so auth required pam_sepermit.so auth include password-auth
5. Edit the following file and add the Radius Server IP address and shared secret (created in the portal),
NOTE : radius server ip address , secret key and timout values shouldnt be left blank.
6. Make a directory for radius server DB by executing the below command.
7. Copy the pam_radius_auth.conf to server db
cp /etc/pam_radius_auth.conf /etc/raddb/server
8. Restart the ssh services.
service ssh restart
LOGIN USING MFA
Login to the server using your favorite ssh terminal.
2. Enter the username and password configured in the upsso portal.
3.Enter the MFA code received by email, SMS, or google authenticator.
4. Once authentication successful, you logged into the system.