Configuring Apple macOS (OS X), Linux or Solaris with Authlogics MFA

Background

Both macOS and Linux are able to connect with an Authlogics Authentication Server using the industry standard RADIUS protocol by installing a Pluggable Authentication Module (PAM) to RADIUS authentication add-on. There are various PAM add-ons available from different vendors however this article details integration with FreeRADIUS PAM.

Further background information on Pluggable Authentication Modules can be found here: https://www.linux.com/news/understanding-pam/ 

Installation Overview

The following installation process was performed on Apple macOS High Sierra (version 10.13.6). Different OS's and versions may vary slightly in their configuration. 

  1. Download, build and install the FreeRADIUS PAM module
  2. Configure the RADIUS PAM module to connect to the Authlogics Authentication Server via RADIUS
  3. Integrate the RADIUS PAM module into required login areas within the client OS, e.g. SSH or UI login

Step 1 - Downloading and Installing RADIUS PAM

  1. Download and extract the PAM Authentication and Accounting module (version 1.4.0 at time of writing). This will be in the form of a TAR GZip file, e.g. pam_radius-release_1_4_0.tar.gz
  2. To build the .so library, open a Terminal window and run the following commands:
    ./configure
    make
  3. Copy the compiled library to the PAM folder:
    cp pam_radius_auth.so /usr/lib/pam
    NOTE: The copy may fail depending on the OS type and version. On macOS X El Capitan and later, Configuring System Integrity Protection (CSIP) prevents writing to protected parts of the OS, including the /user folder, even when logged on as Root. See the Apple documentation for details on how to disable CSIP on macOS, and the try the copy again.

Step 2 - Configuring the RADIUS PAM client and server

  1. Create a server configuration file called server in /etc/raddb/. A template file is available however the required content is as follows:
    [radius-server]{:[port]} [shared-secret] [timeout]
    The :port entry is optional if a standard RADIUS port is being used. The timeout value is in seconds. e.g.:
    radius.server.com Pa55w0rd 10  
  2. Follow the Authlogics Authentication Server Installation and Configuration Guide for instructions on how to configure the server side of the RADIUS setup.

Step 3 - Integrate the RADIUS PAM client with OS logins

PAM modules may be integrated into various login types, e.g. OS login, sshd, su, sudo etc. The list of login types available for the target OS is located at /etc/pam.d/. Each file in the /etc/pam.d/ folder must be configured for PAM as required. Care must be taken when doing different settings may be required for different components, and some may not need to be configured at all. Modify the appropriate file to integrate the RADIUS PAM module with a specific login type.

Common files to edit are:

File name Detail
/etc/pam.d/sshd Secure Shell (SSH) logins. Ensure Remote Logins are enabled in macOS System Preferences.
/etc/pam.d/sudo SUDO command line / terminal access.
/etc/pam.d/authorization OS Logon screen
/etc/pam.d/screensaver OS unlock screen

Editing the files in the /etc/pam.d/ folder involves added a new line to specify in what conditions RADIUS PAM should be used in the following format.

auth [control] /usr/lib/pam/pam_radius_auth.so [options]

Care should be taken to add the correct control value for the platform and login type. Details of each control and their behaviour is as follows:

  • required
    • All required modules in a file must pass for a successful result. If one or more of the required modules fail, all of the required modules in the file will be attempted, but the error from the first failed required module is returned.
  • requisite
    • Similar to required except that if a requisite module fails, no further modules in the file are processed and it immediately returns the first failure code from a required or requisite module.
  • sufficient
    • If a module flagged as sufficient succeeds and no previous required or sufficient modules have failed, all remaining modules in the file are ignored and success is returned.
  • optional
    • If none of the modules in the file are required and no sufficient modules have succeeded, then at least one optional module for the service must succeed. If another module in the file is successful, a failure in an optional module is ignored.

SUDO Sample

To add RADIUS PAM as a required authentication type to SUDO add the following line to the sudo file on macOS:

auth required /usr/lib/pam/pam_radius_auth.so force_prompt prompt=Authlogics

macOS-SUDO-MFA.png

macOS Desktop Logon Sample

Note: Some options may not work with all logon types, for example, the prompt option does not work with macOS OS logon but it does for SUDO.

To add RADIUS PAM as a sufficient authentication type to macOS Desktop Logon add the following line to the authorization file on macOS:

 auth sufficient /usr/lib/pam/pam_radius_auth.so

 

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.