Making networks more secure!

Home Projects About

RADIUS Authentication for Ubuntu

May 23, 2023 - Alex Roland

Configuring RADIUS on Ubuntu is not too difficult and can be accomplished in a few minutes, especially when using the 'sed' command. There are several files that need to be modified and just one package will need to be downloaded, which is libpam-radius-auth. Here is the list of files we will be updating after installing libpam-radius-auth:

  • /etc/pam_radius_auth.conf
  • /etc/raddb/server
  • /etc/pam.d/login
  • /etc/pam.d/sshd
  • /etc/pam.d/sudo
  • /etc/pam.d/common-auth
The first thing we need to do is install the libpam-radius-auth package:
sudo apt update
sudo apt install libpam-radius-auth
Next we need to add our RADIUS server to the /etc/pam_radius_auth.conf file. Replace the IP, secret, and timeout with your own values. The second and third lines will clean up the file by removing defaults:
sudo sed -i 's/127.*/10.2.50.60                 radius_secret  5/g' /etc/pam_radius_auth.conf
sudo sed -i '/^other.*/d' /etc/pam_radius_auth.conf
sudo sed -i '/^\[2.*/d' /etc/pam_radius_auth.conf
The /etc/pam_radius_auth.conf file is not actually read on boot for the RADIUS configuration. By default, it is looking for the file /etc/raddb/server. Here we are creating that directory and copying pam_radius_auth.conf to server:
sudo mkdir /etc/raddb
sudo cp /etc/pam_radius_auth.conf /etc/raddb/server
These next several lines will update the different pam.d files that are used for the different authentication pieces:
sudo sed -i '/auth\s*optional\s*pam_faildelay.so\s*delay=3000000/a auth       sufficient pam_radius_auth.so' /etc/pam.d/login
sudo sed -i '/@include\s*common-auth/i /etc/pam.d/sshd' /etc/pam.d/login
sudo sed -i '/@include\s*common-auth/i auth       sufficient pam_radius_auth.so' /etc/pam.d/sshd
sudo sed -i '/@include\s*common-auth/i auth       sufficient pam_radius_auth.so' /etc/pam.d/sudo
sudo sed -i 's/nullok/nullok_secure try_first_pass/g' /etc/pam.d/common-auth
The last piece on the Ubuntu side is to add your user account that will be authenticating with RADIUS. Optionally, you can allow the account to use sudo:
sudo useradd -m test_user -s /bin/bash
sudo usermod -aG sudo test_user
That does it for the Ubuntu config, but don't forget to update your RADIUS server to have the Ubuntu server as a RADIUS client with the proper network policies in place. Also, to be extra cautious, you might want to keep your current session active while testing the new account just in case you need to modify anything that might be misconfigured. Local authentication should still work with this configuration, but it wouldn't hurt to make sure everything works before logging out, at least for the first time configuring RADIUS auth.