Skip to main content
Skyhigh Security

Enforce RADIUS authentication using a pam-radius module

You can enforce RADIUS authentication for users who access Web Gateway remotely with SSH or run sudo commands in an unprivileged mode.

To enforce this authentication method you can install a module on Web Gateway, which is known as the pam-radius module, and configure it in a suitable manner.

When this module is installed and configured, RADIUS authentication will be mandatory for users who attempt to do one of the following:

  • Log on to Web Gateway from a remote system console using SSH
  • Run sudo commands for Unprivileged Users from a system console

Installation and configuration of the module is completed using a local system console. After installing the module, check whether the pam_radius_auth.so system file has been created on Web Gateway.

For troubleshooting issues with SSH access, you can review the /var/log/secure system file on Web Gateway.

You can also add the -v parameter when running SSH to increase the output verbosity.

Install and configure a pam-radius module

You can install and configure a pam-radius module on Web Gateway to enforce RADIUS authentication for users when logging on to Web Gateway remotely with SSH or running sudo commands in an unprivileged mode.

Installing and configuring the module is provided as an option on Web Gateway and can be completed using a local system console.

  1. Log on to the Web Gateway appliance where you want to install and configure the pam-radius module.
  2. Run this command to install the module:
    yum install pam_radius
  3. Edit the /etc/pam_radius.conf system file to configure the server where the information for completing the RADIUS authentication method is stored.
    1. Comment out these lines:
      #127.0.0.1 secret 1
      #other-server other-secret 3
    2. Add information about the RADIUS server:
      <IP address of the RADIUS server> <shared secret> <timeout in seconds>
  4. Edit the /etc/pam.d/sshd system file to configure use of the RADIUS authentication method when logging on with SSH.
    1. Comment out this line:
      #auth substack password-auth
    2. Add this line to enforce RADIUS authentication:
      auth required pam_radius_auth.so
  5. Edit the /etc/pam.d/sudo system file to configure use of the RADIUS authentication method when running sudo commands in an unprivileged mode.
    1. Comment out this line:
      #auth include system-auth
    2. Add this line to enforce RADIUS authentication:
      auth required pam_radius_auth.so
  6. Create unprivileged users and enable them to run sudo commands.
    1. Run this command to create a user:
      useradd <user name>
    2. Add this line to the /etc/sudoers system file in order to enable a user to run sudo commands:
      <user name> ALL=(ALL) ALL
      NOTE: We recommend that you use the visudo command to edit this file.
  7. On the RADIUS server, add a user name and password to submit for authentication.
    The user name must be the same as the user name that you have configured in step 6a.
  8. On the local system console that is connected to Web Gateway, restart SSHD.
    service sshd restart

You have now enforced RADIUS authentication for users who connect to Web Gateway with SSH or run sudo commands in an unprivileged mode.

To verify if the enforcement works:

  • Log on to Web Gateway from a remote system console with SSH.
    You should be prompted to authenticate under RADIUS.
  • On the remote system console Web Gateway, run a sudo command as follows:
    sudo <command name>
    You should be prompted to authenticate under RADIUS.
  • Was this article helpful?