login about faq

How do I configure Tectia Server on Linux to authenticate users with a username and password followed by a one-time MobileID pin?

asked Sep 17 '10 at 11:57

Ville%20Laurikari's gravatar image

Ville Laurikari ♦
131129


Using Radius/PAM

One easy way to do this on Linux (and Unix) is by using Radius PAM. This is easy to configure, specially if your Linux distribution already has pam_radius support. The disadvantage of this approach is that, even though your radius server (in this case MobileId server) can be configured to authenticate accounts against LDAP or AD, it still requires that local accounts exist in the local machine.

Prerequisites

  • MobileId Server already configured

    These instructions focus on configuring Tectia Server and assume that the MobileId server is already configured for Radius authentication.

  • Radius PAM module installed

    These instructions assume that you have already configured the radius server on the Linux host to forward radius authentication requests to the MobileId server. (For these instructions I used pam_radius-1.3.16-218.1 on a SuSE 11.2 host)

Steps

  1. Configure PAM to use pam_radius

    This can be done by creating a pam configuration file for mobile id under /etc/pam.d and naming it mobileid, such as:

    /etc/pam.d/mobileid with the following contents:

    auth       required    pam_radius_auth.so debug
    account    required    pam_permit.so debug
    session    required    pam_loginuid.so debug
    
  2. Configure Tectia Server to use PAM only for authentication

    Next configure Tectia Server to use the PAM service name that we just defined in the previous step and only allow keyboard interactive submethod-pam. Example snippet from Tectia Server configuration:

    <authentication-methods login-grace-time="600">
      <!-- Only allow mobileid authentication! -->
      <authentication name="mobileid-auth">
        <auth-keyboard-interactive >
          <submethod-pam service-name="mobileid"/>
        </auth-keyboard-interactive>
      </authentication>
    </authentication-methods>
    

That's it, you should now be able to authenticate to the server using keyboard-interactive authentication.

The keyboard-interactive submethod on the server will then use Radius to authenticate against the MobileID server using password and then provide the challenge using an SMS one-time PIN. Login will be allowed upon successful authentication of both the password and PIN.

link

answered Sep 28 '10 at 12:55

Roman's gravatar image

Roman ♦♦
7735817

Starting from Tectia Server 6.1.X you can configure Tectia server to use submethod-radius and you don't need to use PAM. Example Tectia Server radius authentication configuration:

<authentication name="authentication">
 <auth-keyboard-interactive max-tries="3" failure-delay="2">
  <submethod-radius>
   <radius-server address="<MobileID server IP address>" 
     port="1812" client-nas-identifier="<NAS-ID>">
     <radius-shared-secret file="/path/to/radius-secret-file" />
   </radius-server>
  </submethod-radius>
 </auth-keyboard-interactive>
</authentication>
link

answered Oct 21 '11 at 09:36

anttisa's gravatar image

anttisa ♦
106252627

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or __italic__
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×55
×15

Asked: Sep 17 '10 at 11:57

Seen: 3,523 times

Last updated: Oct 21 '11 at 09:36

All user contributed content licensed under the cc-by-sa license.
Powered by OSQA.