How to configure PAM as a submethod of keyboard-interactive to use Radius
asked Dec 14 '10 at 22:01
SSH KB ♦
When using RADIUS authentication, SSH Tectia Server first asks the user's password and then sends it along with the user name to the RADIUS server (PAP authentication). Multiple RADIUS servers can be configured, and these will be queried in turn in case some of them are unreachable.
The supported RADIUS servers are Microsoft IAS (Internet Authentication Service) and FreeRADIUS. The following example shows settings for keyboard-interactive authentication using the RADIUS submethod in the ssh-server-config.xml file:
Using the SSH Tectia Server Configuration tool, keyboard-interactive authentication can be configured on the Authentication page.
Notice that enforcing password changing does not work with RADIUS.
A common cause of problems in RADIUS authentication is that the shared secret is corrupted. For example, extra newline characters or spaces in the shared secret file can cause the authentication to fail. Make sure the same shared secret is configured on SSH Tectia Server and the network access server (NAS).
For information on configuring FreeRADIUS, see for example, http://www.freeradius.org/. For information on configuring Microsoft IAS, see its documentation.
Special Considerations on Windows:
When using RADIUS authentication to log on to a Windows server that belongs to a domain, you have to give the user name prefixed with the machine name, for example MACHINE\user (instead of user). This is because RADIUS authentication uses local accounts, and SSH Tectia Server that is installed on a Windows domain machine assumes that user accounts given without a prefix are domain accounts. If SSH Tectia Server is installed on a stand-alone machine, you can use both notations with RADIUS authentication (MACHINE\user and user).
answered Dec 14 '10 at 22:02
SSH KB ♦