December 14, 2018 at 21:04 #20835
I’ve been running a NoMachine server with two factor authentication using securid. It all works OK. I just edit /etc/pam.d/nx and insert an “auth” line for pam_securid, and then NoMachine prompts me for an authentication code after I have entered my Linux password
However, I now need to swap to using a radius server. I’ve installed and configured pam_radius, and have swapped my pam_securid entry in /etc/pam.d/nx for a pam_radius entry. Now when I connect and enter my Linux password, I don’t get a prompt for a radius code, it just sits in a loop.
I know my radius setup is OK because I can make ssh work with it. However, when i look in the logs, there are no radius entries (I’m running pam_radius with the “debug” option).
Has anyone got NoMachine working with radius? I’m using NoMachine Enterprise Terminal Server 6.0.66-8.x86_64
Thanks in advanceDecember 17, 2018 at 11:16 #20852
It looks like problem similar to
Did you try with the latest release NoMachine 6.4.6?December 17, 2018 at 14:26 #20855
I’ve upgraded to NoMachine-Enterprise-Terminal-Server-6.4.6-25.x86_64, and my /etc/pam.d/nx now reads …
auth include su
auth required pam_radius_auth.so retry=3 force_prompt debug
account include su
password include su
session optional pam_loginuid.so
session include su
i.e, it is as supplied with the rpm, but i have added the pam_radius line.
However, it acts the same as before. It prompts for and accepts my Linux prompt, but then just spins in a loop. It must have talked to our radius server, because I get an authentication code as an SMS message. However NoMachine does not prompt me for the code.
Interestingly, although I have the debug code in my pam set up, there is no logging from pam_radius in my syslog, although I do get it when I am using ssh with pam_radius.
Note, I am using pam_radius-1.4.0-2.el7.x86_64December 17, 2018 at 14:53 #20859
Are you connecting through protocol NX? If yes, then please enable nxserver logs, reproduce issue (try to connect), gather and send logs.
Here are the instructions for how to do this:
Also try with protocol SSH (in nxplayer -> connection settings). Behaviour should be different.
If protocol SSH fails also, then could you paste here output of ‘ssh username@localhost’?December 17, 2018 at 14:54 #20860
If I trace the nxserver.bin process during the authentication, I can see that is is receiving a prompt from the radius server. It just isn’t translating this into a gui entry box
[pid 24403] write(1, “Enter Your Microsoft verification”…, 39) = 39December 17, 2018 at 15:56 #20867
The logs follow… The penultimate line shows that nxexec receives a promote from the radius server, but nx doesn’t then produce a dialog box for me to enter the code.
Attachments:December 17, 2018 at 16:26 #20876
Did you try with protocol SSH? In nxplayer window right click on connection – > edit connection -> protocol -> ssh.
As I understand Linux is radius client. What is radius server? Windows server with configured nps or maybe Azure cloud?December 18, 2018 at 08:55 #20878
The radius server is NPS. However, I have come across this which implies that NPS isn’t capable of processing Access-Challenge RADIUS responses. Therefore phone call and mobile app push notifications should work fine, but neither SMS nor mobile app verification codes (OTPs) will work because we don’t have a way to challenge the user for their OTP, which is the purpose of the Access-Challenge response.
Maybe using ssh rather than nx protocol is the way to go. I’ll have a play …December 24, 2018 at 13:44 #20937
This topic was marked as solved, you can't post.