Help
FortiAuthenticator
FortiAuthenticator provides access management and single sign on.
nathan_h
Staff
Staff

Created on ‎05-21-2021 02:26 AM Edited on ‎05-12-2022 12:31 AM By Community Manager

Article Id 190276

Technical Tip: Integrating Linux login with FortiAuthenticator

Description


This article describes how to configure FortiAuthenticator to integrate Linux Login (PAM_Radius).
FortiToken Mobile is used for 2FA and CentOS 7 for the Linux machine.

Solution


Linux configuration.

1) Install pam_radius module. You may need to add additional linux repository if not found.

[root@localhost ~]# sudo yum install pam_radius

2) Edit /etc/pam_radius.conf. Change FAC_IP and FAC_Secret.

[root@localhost ~]# nano /etc/pam_radius.conf
# server[:port] shared_secret      timeout (s)
#127.0.0.1      secret             1
#other-server    other-secret       3
FAC_IP FAC_Secret 3

3) Edit /etc/pam.d/sshd to inject Radius authentication.

[root@localhost ~]# nano /etc/pam.d/sshd
#%PAM-1.0
auth       required     pam_sepermit.so
auth       sufficient   pam_radius_auth.so # add this line
auth       substack     password-auth
auth       include      postlogin

4) Restart sshd service

[root@localhost ~]# systemctl restart sshd

5) Add user. the same username in FortiAuthenticator.

sudo useradd fac_nathan

FortiAuthenticator Configuration.

1) Configure Radius Client.



 
 
2) Configure Radius Policy.
 
 

 
 
 
 
 
 
 
 
 
3) Configure local FortiAuthenticator account.
 
 

 
 
Verification.

Login as: username
Password: password+tokencode.
 
 

 

 

 

 

Using Email Token as 2FA:

 

1) Enable challenge-response mechanism. Additional configuration is needed on the Linux server

 

 Edit /etc/ssh/sshd_config file.

 ChallengeResponseAuthentication yes
 #ChallengeResponseAuthentication no

 

2) Restart sshd.

 systemctl restart sshd

 

Login flow:

1) Enter username and password. 

2) Enter Email Token.

 

nathan_h_0-1652333703953.png

 

Logs:

 

logid=20000 cat="Event" subcat="Authentication" level="information" nas="x.x.x.x" action="Authentication" status="Success" msg="Remote LDAP user authentication with email token successful" user="fac_nathan"
logid=30908 cat="Event" subcat="System" level="information" nas="" action="" status="" msg="smtp mail: send to xxx@xxx.com via x.x.x.x ok" user="admin"
logid=20300 cat="Event" subcat="Authentication" level="information" nas="x.x.x.x" action="Authentication" status="Pending" msg="Remote LDAP user authentication partially done, expecting email token" user="fac_nathan"

 

Related Articles

Technical Note : FortiAuthenticator Interoperability Guide

5742
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.