Install gcc and pam-devel
[root@server~]# yum install -y gcc pam-devel
Download pam_radius
[root@server~]# wget ftp://ftp.freeradius.org/pub/radius/pam_radius-1.3.17.tar.gz
Extract the zip file and compile the source
[root@server~]# tar xfz pam_radius-1.3.17.tar.gz
[root@server~]# cd pam_radius-1.3.17
[root@server~]# make
Copy shared library
[root@server~]# cp pam_radius_auth.so /lib/security/
Edit sshd
[root@server~]# vim /etc/pam.d/sshd
Go to the first line of the file, paste this line:
auth sufficient /lib/security/pam_radius_auth.so
Note. The “sufficient” tag indicates that if the Radius authentication succeeds then no additional authentication will be required. However, if the Radius authentication fails, a username and password from the system will work. Use “Required” to use strong authentication.
Edit or create your /etc/raddb/server file
[root@server~]# vim /etc/raddb/server
127.0.0.1 secret 1
routableIPaddress shared_secret 1
From Radius server, create account and add the client to allow to access radius
From linux client, add user with no password
[root@server~]# userpadd user1
Test with ssh to the linux client
——– radius packet ——–
radius server : 10.10.1.122:1812
radius client : 10.10.1.123
[root@server~]# tcpdump -nni eth0 host 10.10.1.122 and port 1812
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
22:30:00.499762 IP 10.10.1.123.3902 > 10.10.1.122.1812: RADIUS, Access Request (1), id: 0xfe length: 86
22:30:00.507723 IP 10.10.1.122.1812 > 10.10.1.123.3902: RADIUS, Access Accept (2), id: 0xfe length: 82