1. install gcc and pam-devel
yum install -y gcc pam-devel
2. download pam_radius
wget ftp://ftp.freeradius.org/pub/radius/pam_radius-1.3.17.tar.gz
tar xfz pam_radius-1.3.17.tar.gz
3. compile
cd pam_radius-1.3.17
make
4. copy shared library
cp pam_radius_auth.so /lib/security/
5. edit sshd
vi /etc/pam.d/sshd
Go to the first line of the file, paste this line:
auth sufficient /lib/security/pam_radius_auth.so
Note. The “sufficient” tag indicates that if the Radius authentication succeeds then no additional authentication will be required. However, if the Radius authentication fails, a username and password from the system will work. Use "Required" to require strong authentication.
6. Edit or create your /etc/raddb/server file
vi /etc/raddb/server
--------//---------
127.0.0.1 secret 1
routableIPaddress shared_secret 1
--------//---------
7. From Radius server, create account and add the client to allow to access radius
8. From linux client, add user with no password
userpadd user1
9. Test with ssh to the linux client
-------- radius packet --------
radius server : 10.10.1.122:1812
radius client : 10.10.1.123
# tcpdump -nni eth0 host 10.10.1.122 and port 1812
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
22:30:00.499762 IP 10.10.1.123.3902 > 10.10.1.122.1812: RADIUS, Access Request (1), id: 0xfe length: 86
22:30:00.507723 IP 10.10.1.122.1812 > 10.10.1.123.3902: RADIUS, Access Accept (2), id: 0xfe length: 82
