UBUNTU MULTI-FACTOR AUTHENTICATION USING UPSSO

INTRODUCTION

This document provides instructions to implement multi-factor authentication to Ubuntu Linux with UPSSO RADIUS service.

PREREQUISITES

To integrate UPSSO with the Ubuntu, below are the prerequisites we need.

  • Administrator access to UPSSO Portal.
  • Ubuntu Version 16.04 and higher

NETWORK DIAGRAM - UBUNTU MULTI-FACTOR AUTHENTICATION USING UPSSO RADIUS

Here's the diagram explaining the multi-factor authentication implementation for Ubuntu Linux using UPSSO RADIUS service.

  1. User authenticated to the firewall using Ubuntu SSH.
  2. Ubuntu sends an authentication request to the UPSSO Radius server.
  3. UPSSO Radius server forwards the authentication request to the IDP server.
  4. IDP server checks the authentication request with enterprise LDAP or UPSSO directory.
  5. IDP sends the multi-factor token to be configured methods, like Google authenticator, SMS, or Email.
  6. Radius receives authorization accept or reject method from the IDP server.
  7. UPSSO Radius server confirms the Authentication request to the target device.

ADD RADIUS CLIENT IN UPSSO PORTAL

  1. Login to the UPSSO portal.
  2. Once login, go to Radius client's section.

3. Click on the + button to add a new client.

4. Enter the device friendly name and IP address and secret for the device to authenticate with the RADIUS server—this secret used during the device radius configuration.

CONFIGURING UBUNTU FOR RADIUS AUTHENTICATION

  1. Install required libraries using the following command
sudo apt-get install libpam-radius-auth libpam0g-dev gcc

2. Edit the below file and ensure ChallengeResponseAuthentication yes is enabled and does not include a #

vi /etc/ssh/sshd_config

3. Make sure UsePAM set to yes

4. Edit the below file to enable authentication methods. Make sure the contents of the file as per the below screenshot.

vi /etc/pam.d/sshd

At the beginning of the file, add the below line as per the below screenshot.

auth      sufficient       pam_radius_auth.so

5. Edit the following file and add the radius server IP address and secretly created in as per the portal.

6. Make a directory for radius server DB by executing the below command.

mkdir /etc/raddb

7. Copy the pam_radius_auth.conf to server db

cp /etc/pam_radius_auth.conf /etc/raddb/server

8. Restart the ssh services.

service ssh restart

LOGIN USING MFA

  1. Login to the server using your favorite ssh terminal.

2. Enter the username and password configured in the upsso portal.

3. Enter the MFA code received by email, SMS, or google authenticator.

4. Once authentication successful, you logged into the system.