I have a new install of OpenSuse 13.1 and I’d like to have users authenticate against a Cisco ACS Radius Server when they ssh into the OpenSuse system. I haven’t done this before but I’ve been reading up on PAM, etc. The problem is I can’t seem to find any complete type of documentation to really configure this. I don’t want to configure a Radius Server on this OpenSuse system. I was also trying to figure out how to run the yast2-pam app but I didn’t see that in yast (I know the package is installed…). I’m assuming the yast2-pam app would help???
Any help would be appreciated.
Although I haven’t done this on Linux before,
Generally speaking in my experience you don’t authenticate <directly> to a RADIUS server, normally you authenticate to a Network Security system, eg LDAP which in turn is configured to use a RADIUS server as an authenticator.
Or, in another case you would be logging in through a Wireless router configured for 802.1x, which means it’s configured as a port-blocking firewall (need to authenticate before providing any network services. In a <normal> network, you might notice that typically DHCP hands out an IP address happily before the client logs into the network). In this case, the port-blocking firewall (the access point) is configured to request and forward to a RADIUS server for authentication.
As for PAM, it’s a common standard and interface used to easily configure various authentication methods by plugins, but you generally need to have PAM support on both sides (not just the openSUSE OS itself).
You are correct, the Cisco ACS Radius Server will be referencing an Active Directory External Database. I’m thinking this should be too difficult to do… Just need to be pointed in the right direction.
There is pam_radius module, you can find documentation and usage examples on http://freeradius.org/pam_radius_auth/
In this case your login has little to do with openSUSE.
Starts with proper configuration of the Access Point and AD. If you’re not a Network Admin, this is something you can completely ignore because those efforts are completely beyond anything you can see.
What you <do> need to do though is to join your machine to the AD Domain.
In theory, when you login to the network, the AP should pass your request to AD which in turn should pass the request on to the RADIUS server (If you didn’t belong to an AD Domain or if your network is configured to not integrate RADIUS with AD, you might have to login with non-AD credentials and the AP would forward the request directly to the RADIUS server).
There are a zillion different system setups so I can’t/won’t try to know how every system works, but someone should know the specifics how the RADIUS server is configured with/without AD, which might also determine how to present credentials to your network… there are a multitude of possibilities so you’ll have to ask the person who did the setup.
On the other hand, if you are the Network Admin tasked with setting up something brand new… That’s another story…