Skip to Content

Configure RADIUS Authentication in Ezeelogin SSH Jump host

 Integrate & Configure  RADIUS Authentication in Ezeelogin.

  1. Navigate to Settings -> RADIUS and enter the RADIUS server hostname,  RADIUS Client shared secret and the authentication port.

configure radius authentication in Ezeelogin

 

2. Under Settings -> General -> Web Panel Authentication, set it to RADIUS.

radius webpanel authentication

 

3. Enable "Auto Create User" under Settings -> General -> Security so that a unix user account is created in the system/ for SSH access  when the RADIUS USER authenticates in the Ezeelogin GUI.

Auto-create User Ezeelogin

4.  Test the connectivity from the Ezeelogin SSH Jump host to the radius server. In the example below, the  user radius user "rtest" with the  password "rtest1234" has authenticated successfully on radius server "radius.eznoc.com" ( 192.168.0.121 ) from the CLI on the jump host. 1812 is the default radius UDP server port and "Cole!$%SYUU" is the RADIUS client shared secret.   

IP Address of the Radius server radius.eznoc.com is  192.168.0.121, Radius User =  rtest,  Radius Password = rtest1234
Install the  freeradius-utils-3.0.13-15.el7.x86_64  package so that the binary radtest is available on the server.
[root@jumphost ~]# radtest rtest rtest1234 192.168.0.121:1812 1812 Cole!$%SYUU
Sent Access-Request Id 37 from 0.0.0.0:60808 to 192.168.0.121:1812 length 75
User-Name = "rtest"
User-Password = "rtest1234"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
Message-Authenticator = 0x00
Cleartext-Password = "rtest1234"
Received Access-Accept Id 37 from 192.168.0.121:1812 to 0.0.0.0:0 length 20

   

Invalid RADIUS user password would  throw the  following errors.

[root@jumphost ~]# radtest rtest rtest123 192.168.0.121:1812 1812 Cole!$%SYUU

Sent Access-Request Id 16 from 0.0.0.0:36719 to 192.168.0.121:1812 length 75

User-Name = "rtest"

User-Password = "rtest123"

NAS-IP-Address = 127.0.0.1

NAS-Port = 1812

Message-Authenticator = 0x00

Cleartext-Password = "rtest123"

Received Access-Reject Id 16 from 192.168.0.121:1812 to 0.0.0.0:0 length 20

(0) -: Expected Access-Accept got Access-Reject   

 
Following error is returned if the RADIUS server,  client secret is invalid

[root@otp ~]# radtest rtest rtest1234 192.168.0.121:1812 1812 Cole!$%SYUU

Sent Access-Request Id 76 from 0.0.0.0:32856 to 192.168.0.121:1812 length 75

User-Name = "rtest"

User-Password = "rtest1234"

NAS-IP-Address = 127.0.0.1

NAS-Port = 1812

Message-Authenticator = 0x00

Cleartext-Password = "rtest1234"

(0) No reply from server for ID 76 socket 3

 
To fix the above error, whitelist gateway IP in radius server

root@radius_server ~]# vim /etc/raddb/clients.conf

client radius {
ipaddr = gateway_ip
secret = radius_secret
}

5. Install the pam_radius modules so that RADIUS users can authenticate in SSH on the Ezeelogin jumphost. 

[root@jumphost ~]#yum install pam_radius.x86_64

[root@jumphost ~]# vi /etc/pam.d/sshd

#%PAM-1.0

auth  required pam_sepermit.so

auth    sufficient    pam_radius_auth.so

 

[root@jumphost ~]# vi  /etc/pam_radius.conf

#  pam_radius_auth configuration file.  Copy to: /etc/pam_radius.conf

#192.168.0.121 is the RADIUS SERVER IP, RADIUS CLIENT SECRET AND TIMEOUT VALUE
192.168.0.121   Cole!$%SYUU  60 
 
 

 

6. Login as the RADIUS USER  "rtest"  in  Ezeelogin GUI

ezeelogin gui

 radius_user_ezeelogin 

7. SSH using SSH clients such as  "Putty" or "Terminal " as  user "rtest"  to the Ezeelogin Jumphost or SSH via the " Web SSH Console"

ssh rtest@jump_host.server

Or SSH via the WEB SSH Console within the Ezeelogin GUI.

web ssh console   

ssh web console

Failure to Authenticate with RADIUS server will display the error shown below in Ezeelogin GUI.

radius login failure ezeelogin