0

I have successfully configured pam_radius on a Ubuntu client so that users are asked for an OTP. The radius server is an NPS with Azure MFA extension. The OTP is checked against Azure.

It works well, but I'd rather not send the user credentials to the NPS, so that only the OTP is checked. Also it would be nice to ask the user for OTP before the password.

I read elsewhere (https://learn.microsoft.com/en-us/answers/questions/20921/mfa-nps-error.html) that if we choose "Accepting users without validating credentials" on the NPS (in addition to "skip_passwd" on pam_radius_auth configuration), this would work - but it doesn't.

Is this because pam_radius will always try to authenticate with both password and OTP? Or maybe NPS will always ask for a password? But on the other hand, on pam_radius_auth documentation it says that skip_pass will send a null as password in that case, so why am I still asked for the password?

Best, Francis

francisaugusto
  • 180
  • 10

2 Answers2

0

Just got what was wrong: ticking at "Accept users without validating credentials" did the trick. I was mistaken that with "Allow clients to connect without negotiating an authentication method" under Authentication settings. It now works as desired.

francisaugusto
  • 180
  • 10
0

Would you be able to share the steps you followed to do this? I am currently trying to do the exact same thing. We already have mfa with ms authenticator set up for our office online/exchange/vpn stuff, but we would also like to implement this on our ubuntu desktop GUI.

I've been able to implement the google pam authenticator locally on each system with the ms authenticator app, but that involves adding a new account to the app, and I'd like to use the current mfa already in use by users.

We have the radius/ntp/azure in place already, I just don't know what I need to do on the ubuntu desktop side to get it connected to it.

Rob Dogg
  • 1
  • Hi! You did the hard part, then. What you gotta do is to install [pam_radius](https://github.com/FreeRADIUS/pam_radius), then configure it to talk to the NPS server. Basically this mechanism involves having a pam client on each linux you want to authenticate to against the Azure 2FA. But this was to log in on the terminal, I haven't tested on the Desktop. – francisaugusto Jan 13 '23 at 22:20
  • This does not really answer the question. If you have a different question, you can ask it by clicking [Ask Question](https://serverfault.com/questions/ask). To get notified when this question gets new answers, you can [follow this question](https://meta.stackexchange.com/q/345661). Once you have enough [reputation](https://serverfault.com/help/whats-reputation), you can also [add a bounty](https://serverfault.com/help/privileges/set-bounties) to draw more attention to this question. - [From Review](/review/late-answers/539831) – Stuggi Jan 18 '23 at 07:33