REDHAT MULTI-FACTOR AUTHENTICATION USING UPSSO

INTRODUCTION

This document provides instructions to configure multi-factor authentication to RedHat Linux server with UPSSO Radius service.

PREREQUISITES

To integrate UPSSO with the RedHat, below are the prerequisites we need.

  • Administrator access to UPSSO Portal.
  • RedHat Version 6.X and higher

REDHAT MULTI-FACTOR AUTHENTICATION USING UPSSO NETWORK DIAGRAM

  1. User authenticated to the OS using RedHat SSH.
  2. RedHat sends an authentication request to the UPSSO Radius server.
  3. UPSSO Radius server forwards the authentication request to the IDP server.
  4. IDP server checks the authentication request with enterprise LDAP or UPSSO directory.
  5. IDP sends the multi-factor token to be configured methods, like Google authenticator, SMS, or Email.
  6. Radius receives authorization accept or reject method from the IDP server.
  7. UPSSO Radius server confirms the Authentication request to the target device.

ADD RADIUS CLIENT IN UPSSO PORTAL

  1. Login to the UPSSO portal.
  2. Once login, go to Radius client's section.

3. Click on the + button to add a new client.

4. Enter the device friendly name and IP address and secret for the device to authenticate with the RADIUS server—this secret used during the device radius configuration.

CONFIGURING REDHAT FOR RADIUS AUTHENTICATION

  1. Install required libraries using the following command
sudo yum install gcc pam pam-devel make -y

2. Install free radius client by following the below commands.

cd /usr/src
sudo yum install wget
sudo wget ftp://ftp.freeradius.org/pub/radius/pam_radius-1.4.0.tar.gz
sudo tar xvzf pam_radius-1.4.0.tar.gz 
cd pam_radius-1.4.0
sudo ./configure
sudo make

3. Identify the Linux architecture by the following command. i386 and i686 are both 32-bit. x86_64 is 64-bit

uname -m

4. case of a 32-bit operating system, use the below command to copy the file.

cp pam_radius_auth.so /lib/security/

5. In case of a 64-bit operating system, use the below command to copy the file.

cp pam_radius_auth.so /lib64/security/

6. Edit the below file and ensure ChallengeResponseAuthenticationyes is enabled and does not include a #

sudo vim /etc/ssh/sshd_config

7. Make sure UsePAM set to yes

8. Edit the below file to enable authentication methods. Make sure the contents of the file as per the below screenshot.

sudo vim /etc/pam.d/sshd

In the below screenshot, I have replaced the line 2 with the below line to send the user authentication using the radius server. Edit the line according to your organization's authentication flow.

Auth            required                    pam_radius_auth.so

9. Create a directory to store the radius server configuration using the following command.

sudo mkdir /etc/raddb

10. Create a new file using the below command.

sudo vim /etc/raddb/server

11. Add the below contents as per the below screenshot. Replace the server IP with your UPSSO Radius server IP and Secret we have created in the UPSSO portal.

#Server         Secret    Timeout
10.10.3.138     123     60

12. Create a user in the Linux server using the following command.

adduser karthik
passwd karthik

13. Set a strong password for the user; however, this password not be used during the authentication process.

14. Restart ssh service using the following command.

systemctl restart sshd

LOGIN USING MFA

  1. Login to the server using your favorite ssh terminal.

2. Enter the username and password configured in the upsso portal.

3. Enter the MFA code received by email, SMS, or google authenticator.

4. Once authentication successful, you logged into the system.