FortiAuthenticator
FortiAuthenticator provides access management and single sign on.
nathan_h
Staff
Staff
Article Id 190276

Description


This article describes how to configure FortiAuthenticator to integrate Linux Login (PAM_Radius).
FortiToken Mobile is used for 2FA and CentOS 7 for the Linux machine.


Solution


Linux configuration.

1) Install pam_radius module. You may need to add additional linux repository if not found.

[root@localhost ~]# sudo yum install pam_radius

2) Edit /etc/pam_radius.conf. Change FAC_IP and FAC_Secret.

[root@localhost ~]# nano /etc/pam_radius.conf
# server[:port] shared_secret      timeout (s)
#127.0.0.1      secret             1
#other-server    other-secret       3
FAC_IP FAC_Secret 3

3) Edit /etc/pam.d/sshd to inject Radius authentication.

[root@localhost ~]# nano /etc/pam.d/sshd
#%PAM-1.0
auth       required     pam_sepermit.so
auth       sufficient   pam_radius_auth.so # add this line
auth       substack     password-auth
auth       include      postlogin

4) Restart sshd service

[root@localhost ~]# systemctl restart sshd

5) Add user. the same username in FortiAuthenticator.

sudo useradd fac_nathan

FortiAuthenticator Configuration.

1) Configure Radius Client.



 
 
2) Configure Radius Policy.
 
 

 
 
 
 
 
 
 
 
 
3) Configure local FortiAuthenticator account.
 
 

 
 
Verification.

Login as: username
Password: password+tokencode.
 
 

 

 

 

 

Using Email Token as 2FA:

 

1) Enable challenge-response mechanism. Additional configuration is needed on the Linux server

 

 Edit /etc/ssh/sshd_config file.

 ChallengeResponseAuthentication yes
 #ChallengeResponseAuthentication no

 

2) Restart sshd.

 systemctl restart sshd

 

Login flow:

1) Enter username and password. 

2) Enter Email Token.

 

nathan_h_0-1652333703953.png

 

Logs:

 

logid=20000 cat="Event" subcat="Authentication" level="information" nas="x.x.x.x" action="Authentication" status="Success" msg="Remote LDAP user authentication with email token successful" user="fac_nathan"
logid=30908 cat="Event" subcat="System" level="information" nas="" action="" status="" msg="smtp mail: send to xxx@xxx.com via x.x.x.x ok" user="admin"
logid=20300 cat="Event" subcat="Authentication" level="information" nas="x.x.x.x" action="Authentication" status="Pending" msg="Remote LDAP user authentication partially done, expecting email token" user="fac_nathan"

 

Related Articles

Technical Note : FortiAuthenticator Interoperability Guide

Contributors