RADIUS authentication in Oracle Solaris 11.4 Beta

In the first refresh of the Oracle Solaris 11.4 beta we got support for RADIUS in the PAM framework. So you can now use RADIUS for authentication purposes without the need to compile the necessary components on your own. This is really useful, as RADIUS is used quite often to implement for example one-time password mechanism with a central infrastructure to implement them.

This feature is implemented by a PAM module named pam_radius_auth.so.1 . It supports TLS based RADIUS, however for test and development you can use it without TLS. I will use this simplified method in this blog entry. There are PAM policy file for UNIX+RADIUS and LDAP+RADIUS in /etc/security/pam_policy for systemwide or per-user activation (if you use them, It may be a good ida to remove the echo_pass after the pam_radius_auth.so1 in order to deactivate the clear-text repetition of the password on your shell.

While there is a man page describing the setup of pam_auth_radius, there is a small problem. The way it’s described is incorrect. The config however is generated via a SMF stencil, so the stencil file at /lib/svc/stencils/pam_radius_conf.stencil is a good interims source how to configure it.

In this blog entry I would like describe a really basic setup of this feature. Of course you need a working RADIUS server. In my case I will just use the one that is in my home anyway for WLAN authentication.

At first you have to install the package:

root@client:~# pkg install pkg:/system/security/radius/client

Now we have to configure the SMF service.

root@client:~# svccfg -s radius/client:default
svc:/network/radius/client:default> setprop config/server_list = “10.0.0.2"
svc:/network/radius/client:default> setprop config/secret/shared_secret = “justameaninglesssharedsecret"
svc:/network/radius/client:default> setprop config/protocol = "tcp“
root@client:~# svcadm refresh radius/client:default

In my example I will activate RADIUS authentication just for my own user.

root@client:~# usermod -K pam_policy=unix+radius joerg

Now we can try it out.

root@client:~# ssh joerg@localhost
Password: <b>YOUR_UNIX_PASSWORD</b>
RADIUS password or PIN: <b>PASSWORD_OR_PIN_IN_RADIUSSERVER</b>
Last login: Fri Apr 27 22:49:58 2018 from 10.1.10.22
Oracle Corporation      SunOS 5.11      Solaris_11/11.4/ON/production.build-59:2018-03-22       March 2018
joerg@ldap:~$

Now the system is asking for the RADIUS password beside the one you have stored in the files (respectively in LDAP if you want to do so)