Using PAM to authenticate to radius

Hi there. Trying to configure PAM to authenticate via RADIUS on Rocky Linux. This worked fine on Centos 7 but I cannot login using 2FA. Any one successfully configured this? Are there additional files to modify? I cannot find a lot of documentation for Rocky Linux, PAM and RADIUS.

Many thanks

@Tobe, Welcome. What version of Rocky Linux? While not directly related to Rocky, this link might be helpful: PAM RADIUS installation and configuration guide

sorry, its 4.18.0-513.11.1.el8_9.x86_64
Thanks for the link. Ideally I do not want to install additional RPM’s if I can help it.

So far I have done the following:

updated /etc/raddb/server
radius_server_ip:port secret timeout

updated /etc/pam_radius.conf
radius_server_ip:port secret timeout source_ip (tried with no vrf (blank) or with vrf-blue > neither works)

updated /etc/pam/d/sshd
added following line, directly under the first line : #%PAM-1.0
auth sufficient pam_radius_auth.so

I notice that if I run the following command:
cat /etc/ssh/sshd_config | grep ssh
I can see:
AllowGroups ssh_users

So, I edited /etc/group and added my userid to the ssh_users group

Then restarted the service:
systemctl restart sshd

I then tried to ssh in again:

However if I run:
systemctl status sshd.service > I get the following error: (I cannot find anything on the web relating to this hence reaching out on this forum)
Note I changed the ip address to x.x.x.199 and my user id to: USERID (for security)

sshd[22127]: pam_radius_auth: Failed bind to vrf-blue: No such device
sshd[22127]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=x.x.x.199 user=USERID
sshd[22127]: Failed password for USERID from x.x.x.199 port 52435 ssh2

Thanks, if anyone can help me.

Figured it out through trial and error:
I commented out the last 3 lines in pam_radius.conf (the ones that come out of the box) after this I restarted the sshd.service and it now works. Strange as I thought the file was read from the top down.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.