Authenticate User Login with Centralized RADIUS CLI Auth
With this feature, you are enabled to manage users for UI and OS centrally from the Accounts tab in UI. SSH users are authenticated externally or locally at OS, with external authentication (if configured) as the preferred mechanism. As of now, for SSH users, only RADIUS authentication is the supported external authentication mechanism. Before this feature, any SSH user configuration for local or external authentication was done through the command line. But now, the user and the RADIUS configuration for the UI and SSH are managed centrally for an appliance or a cluster of appliances.
NOTE: If pam_radius auth is enforced previously using Enforce RADIUS authentication using a pam_radius module, then Skyhigh recommends to revert changes manually before configuring the Centralized RADIUS auth.
Add an OS Administrator Account
To add an OS administrator account:
- Navigate to Accounts > Administrator Accounts.
- Under Internal Administrator Accounts, click Add.
The Add Administrator window opens. - Add a username, password, and other settings for the account. For more information about these settings, see Administrator Accounts Settings.
- Under the OS account, perform the following:
- Select the Create checkbox.
This creates an OS account for the user. The username and the password are passed on to the CLI and a user for SSH is created on all the appliances in the cluster. - Select the Allow privileged functions (sudo) checkbox.
This enables sudo permissions for the created user.
- Select the Create checkbox.
- Click OK.
The window closes, and the new account appears in the accounts list. - Click Save Changes.
Authenticate User Login with RADIUS Auth
To authenticate user login with RADIUS Auth:
- Navigate to Accounts > Enable Administrator accounts are managed externally > Authentication Server Details > Authentication Method.
- Set the Authentication method as Radius.
- Configure the following RADIUS-specific parameters:
- Radius server definition as string
- Shared secret
- RADIUS connection timeout
This authenticates login for both UI and SSH users, provided an OS account is created for SSH users.
NOTE: The RADIUS authentication executed using the UI overwrites the command line manual configurations performed for the pam_radius auth for SSH access in /etc/pam.d/sshd and /etc/pam.d/sudo.
Troubleshoot RADIUS Auth
1) As username with spaces are not supported on Linux, you should refrain from creating a username with spaces for the appliance. If tried, the user account will not be created, and an Incident(642) will be reported.
2) Perform the following steps if the RADIUS Auth or fallback mechanism for SSH users fails:
- Check if pam_radius module is already installed on MWG. If not, install it using the
yum install pam_radius
command. - Check the configuration for radius server in
/etc/pam_radius.conf
- Edit the /etc/pam.d/sshd system file to configure RADIUS authentication method as priority when logging on with SSH.
Place this line:auth sufficient pam_radius_auth.so
above this line:auth
substack
password-auth
- Edit the /etc/pam.d/sudo system file to configure the use of the RADIUS authentication method when running sudo commands in an unprivileged mode.
Place this line:auth sufficient pam_radius_auth.so
above this line:auth include system-auth
- If any changes were made, restart the SSHD service.
service sshd restart
Special Cases
If you are not having an associated RADIUS configuration or in case of RADIUS Auth failure, the failover Auth Mechanism acts as a local authentication.
Following are the Incident IDs added as a part of this feature:
- 642: SEVERITY: ERROR: When a username format is not supported by linux. Example: Usernames with spaces.
- 644: SEVERITY: ERROR: When a user deletion is not possible due to any error except covered in severity 643 and 641. The account is locked as the UI issued deletion for the account.
- 640: SEVERITY: WARNING: When a username is already existing on the appliance and the same is configured via UI, the password is updated, and a Warning is reported for the same
- 641: SEVERITY: WARNING: When a username is already deleted from the appliance (may be through command line), and a delete for the same is triggered from UI, Warning for the same is reported, and the Password is removed if not done through command line.
- 643: SEVERITY: WARNING: When a user is currently logged in and a delete is tried from the UI, the user's current active sessions are terminated, and the user is deleted. A warning regarding the session termination is reported for the same.