Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
355
Views
0
Helpful
2
Replies

ISE radius for Linux red hat server

harry-gu
Level 1
Level 1

‎10-15-2024 12:41 PM - last edited on ‎10-15-2024 02:00 PM by Community Manager

Hello,

I installed pam_radius on a red hat/linux server and configured it with ISE radius authentication. Was able to ssh to it with configured user on the radius server. But one issue is that the user name must be on both of the linux host and ISE although passwd is only created on ISE. If a user name is not created on the linux server and only created on ISE, the login will fail. Does anyone know a work around for this problem ?

Thanks,

Labels:
0 Helpful
2 Replies 2

Flavio Miranda
VIP
VIP

‎10-15-2024 03:03 PM

@harry-gu 

 I dont believe is possible. Anyway, it should be configured on the linux side. There a few queries for similar situation on the internet

https://unix.stackexchange.com/questions/202233/simple-radius-authentication

 

0 Helpful

vishalbhandari
Spotlight
Spotlight

‎10-16-2024 11:37 AM

In your setup, the issue arises because, while the authentication process is handled by ISE via RADIUS, the Linux system still needs a local user account to associate with the session. Essentially, RADIUS only verifies the user's credentials, but the local Linux system requires a corresponding local user to manage permissions, home directories, etc.

There are a couple of potential workarounds for this:

1. Use SSSD for Centralized User Management

  • You can integrate your Linux server with a centralized user management system like LDAP or Active Directory (AD) using SSSD (System Security Services Daemon). This way, you can manage users centrally and eliminate the need for creating local users on each Linux server.
  • Here’s an outline of how to achieve this:
    • Install and configure SSSD to connect to your central directory (LDAP/AD).
    • Ensure the pam_radius and SSSD work together, where RADIUS handles authentication and SSSD manages user profiles.
    • Users don’t need to be created on the local system, as they will be managed by LDAP or AD.

2. Enable User Mapping with sshd PAM Configuration

  • In some cases, you can use PAM configuration to handle this by mapping remote users to a local user account. This way, all authenticated users (via RADIUS) could log in as a predefined local user.
  • You could map all RADIUS-authenticated users to a generic user account using the /etc/pam.d/sshd configuration file. However, this approach has security and usability trade-offs since multiple users would share the same Linux account.

3. Dynamic User Creation

  • You can also configure PAM to automatically create a user account when a user successfully logs in via RADIUS. One tool that facilitates this is PAM_MKHOMEDIR, which automatically creates a home directory upon the first login for users authenticated via RADIUS.
  • This approach is more dynamic but could be complex to implement depending on your environment.

Here’s how to configure pam_mkhomedir:

  1. Install the pam_mkhomedir package on your Linux server.
  2. Edit the /etc/pam.d/sshd file and add the following line:
    bash
    session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
    This will create a home directory for the user if it doesn’t exist, but keep in mind that you still need a way to dynamically create the user itself.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card