RADIUS authentication in Oracle Solaris 11.4 Beta
In the first refresh of the Oracle Solaris 11.4 beta we got support for RADIUS in the PAM framework. So you can now use RADIUS for authentication purposes without the need to compile the necessary components on your own. This is really useful, as RADIUS is used quite often to implement for example one-time password mechanism with a central infrastructure to implement them.
This feature is implemented by a PAM module named
pam_radius_auth.so.1 . It supports TLS based RADIUS, however for test and development you can use it without TLS. I will use this simplified method in this blog entry. There are PAM policy file for
/etc/security/pam_policy for systemwide or per-user activation (if you use them, It may be a good ida to remove the
echo_pass after the
pam_radius_auth.so1 in order to deactivate the clear-text repetition of the password on your shell.
While there is a man page describing the setup of pam_auth_radius, there is a small problem. The way it’s described is incorrect. The config however is generated via a SMF stencil, so the stencil file at
/lib/svc/stencils/pam_radius_conf.stencil is a good interims source how to configure it.
In this blog entry I would like describe a really basic setup of this feature. Of course you need a working RADIUS server. In my case I will just use the one that is in my home anyway for WLAN authentication.
At first you have to install the package:
Now we have to configure the SMF service.
In my example I will activate RADIUS authentication just for my own user.
Now we can try it out.
Now the system is asking for the RADIUS password beside the one you have stored in the files (respectively in LDAP if you want to do so)