RADIUS authentication

Status
Not open for further replies.

fatticus

Dabbler
Joined
Nov 9, 2012
Messages
11
Is there any support for RADIUS authentication coming down the pipe?

Any one heard anything? cant seem to find much info on this.

Thanks!
 
D

dlavigne

Guest
Please create a feature request at bugs.freenas.org and post the issue number here.
 

koendb

Cadet
Joined
Jan 15, 2016
Messages
7
An old thread I know, but I am in the process of setting up a few NAS boxes at work and our policy requires ssh to be protected with 2-factor authentication.
Therefor I quickly installed a freenas vm today, to testdrive it before commiting ourselves to freeNAS.

Our 2-factor authentication is done via radius and LinOTP to generate the TOTP codes and using google authenticator mobile app.
Users are authenticated via Active Directory ( Samba4 PDC's )
So I needed to get Radius auth working for SSH. Here's how I got it working in about 30 minutes ( if you already have a running jail , it will be considerably less :) )

EDIT: I forgot to mention, I did this on a FreeNAS-9.3-STABLE-201602031011 build :smile:
  1. From the freeNAS GUI, create a new jail (Menu -> Jails ) Click the "Add Jail" button
    This will take a while.
  2. Select the newly created jail and open a shell to it .
  3. Install gcc and wget
    Code:
    pkg install gcc wget
  4. Download the freeradius pam module source, unpack it and change directory to the pam_radius directory.
    Code:
    wget ftp://ftp.freeradius.org/pub/radius/pam_radius-1.4.0.tar.gz
    tar -zxvf pam_radius-1.4.0.tar.gz
    cd pam_radius-1.4.0
  5. One line of code needs to be changed in order for pam_radius to compile on freeBSD
  6. Open the file src/pam_radius_auth.h and replace the line
    Code:
    #include <utmp.h>

    with
    Code:
    #include <utmpx.h>
  7. Once saved, configure and run make
    Code:
    ./configure
    make
  8. Scp the pam module file ( pam_radius_auth.so ) to your freeNAS box.
    Code:
    scp pam_radius_auth.so <IP OF YOUR freeNAS Box>:/var/tmp/
  9. Ssh into your freeNAS box and move the file from /var/tmp to /usr/lib
    Code:
    mv /var/tmp/pam_radius_auth.so  /usr/lib/
  10. Create the directory /etc/raddb
    Code:
    mkdir /etc/raddb
  11. Create the file /etc/raddb/server.
    This file should contain a list of radius servers , with their shared secret and a timeout
    # Server secret timeout
    172.25.1.2 MySecret 3
    172.25.1.3 MySecret 3

    Code:
    chmod 600 /etc/raddb/server
  12. Before actually change the pam entry for the ssh daemon, test it first with , for example, sudo
  13. in /etc/pam.d/sudo , insert the line
    auth required pam_radius_auth.so force_prompt prompt=Token conf=/etc/raddb/server
    Before the line that reads
    auth sufficient pam_opie.so no_warn no_fake_prompts
    The force_prompt is not needed if you dont use radius for 2-factor authentication.
    For the complete list of parameters, please check http://freeradius.org/pam_radius_auth/
  14. As a regular user (make sure radius knows this user too!), try to sudo.
  15. If you manage to get sudo working with radius authentication, lets try ssh.
  16. Just repeat step 13 for the file /etc/pam.d/sshd
    If you dont need 2-factor authentication with radius, then I think that is all you need to enable radius auth on sshd.
  17. If you need 2-factor authentication, you need to tell sshd to use a challenge/response authentication.
  18. In the freeNAS admin GUI, go to Services ->Control Services and open the ssh settings (click on the wrench icon next to the SSH service )
  19. Click on 'Advanced Mode' and in the "Extra Options" text area, enter the following:
    ChallengeResponseAuthentication yes
  20. Restart the SSHD service .
  21. You should now have a working radius authentication for SSH.
  22. You can now delete the jail created in the first step if you want to.
 
Last edited:

BigDave

FreeNAS Enthusiast
Joined
Oct 6, 2013
Messages
2,479
If you make a small edit and give the version of FreeNAS you configured this in,
(I may have missed reading it, if I did, please ignore me:oops:)
This may end up stickied in the jails/plug-ins section of the forum. Good job!
 
Status
Not open for further replies.
Top