Forum / NoMachine for Linux / Two factor authentication with radius
Tagged: radius
- This topic has 8 replies, 2 voices, and was last updated 5 years, 10 months ago by og00r.
-
AuthorPosts
-
December 14, 2018 at 21:04 #20835drobsonParticipant
I’ve been running a NoMachine server with two factor authentication using securid. It all works OK. I just edit /etc/pam.d/nx and insert an “auth” line for pam_securid, and then NoMachine prompts me for an authentication code after I have entered my Linux password
However, I now need to swap to using a radius server. I’ve installed and configured pam_radius, and have swapped my pam_securid entry in /etc/pam.d/nx for a pam_radius entry. Now when I connect and enter my Linux password, I don’t get a prompt for a radius code, it just sits in a loop.
I know my radius setup is OK because I can make ssh work with it. However, when i look in the logs, there are no radius entries (I’m running pam_radius with the “debug” option).
Has anyone got NoMachine working with radius? I’m using NoMachine Enterprise Terminal Server 6.0.66-8.x86_64
Thanks in advance
December 17, 2018 at 11:16 #20852og00rContributorIt looks like problem similar to
https://www.nomachine.com/TR11P08977
Did you try with the latest release NoMachine 6.4.6?December 17, 2018 at 14:26 #20855drobsonParticipantI’ve upgraded to NoMachine-Enterprise-Terminal-Server-6.4.6-25.x86_64, and my /etc/pam.d/nx now reads …
auth include su
auth required pam_radius_auth.so retry=3 force_prompt debug
account include su
password include su
session optional pam_loginuid.so
session include sui.e, it is as supplied with the rpm, but i have added the pam_radius line.
However, it acts the same as before. It prompts for and accepts my Linux prompt, but then just spins in a loop. It must have talked to our radius server, because I get an authentication code as an SMS message. However NoMachine does not prompt me for the code.
Interestingly, although I have the debug code in my pam set up, there is no logging from pam_radius in my syslog, although I do get it when I am using ssh with pam_radius.
Note, I am using pam_radius-1.4.0-2.el7.x86_64
December 17, 2018 at 14:53 #20859og00rContributorAre you connecting through protocol NX? If yes, then please enable nxserver logs, reproduce issue (try to connect), gather and send logs.
Here are the instructions for how to do this:
https://www.nomachine.com/DT10O00163#1Also try with protocol SSH (in nxplayer -> connection settings). Behaviour should be different.
If protocol SSH fails also, then could you paste here output of ‘ssh username@localhost’?December 17, 2018 at 14:54 #20860drobsonParticipantIf I trace the nxserver.bin process during the authentication, I can see that is is receiving a prompt from the radius server. It just isn’t translating this into a gui entry box
[pid 24403] write(1, “Enter Your Microsoft verification”…, 39) = 39
December 17, 2018 at 15:56 #20867drobsonParticipantThe logs follow… The penultimate line shows that nxexec receives a promote from the radius server, but nx doesn’t then produce a dialog box for me to enter the code.
Attachments:
December 17, 2018 at 16:26 #20876og00rContributorDid you try with protocol SSH? In nxplayer window right click on connection – > edit connection -> protocol -> ssh.
As I understand Linux is radius client. What is radius server? Windows server with configured nps or maybe Azure cloud?
December 18, 2018 at 08:55 #20878drobsonParticipantThe radius server is NPS. However, I have come across this which implies that NPS isn’t capable of processing Access-Challenge RADIUS responses. Therefore phone call and mobile app push notifications should work fine, but neither SMS nor mobile app verification codes (OTPs) will work because we don’t have a way to challenge the user for their OTP, which is the purpose of the Access-Challenge response.
Maybe using ssh rather than nx protocol is the way to go. I’ll have a play …
December 24, 2018 at 13:44 #20937og00rContributorA Trouble Report has been created:
https://www.nomachine.com/TR12P09054You wrote “Maybe using ssh rather than nx protocol is the way to go. I’ll have a play …”: so ssh is working correctly?
We are sending you a test library by email, if you want to have a try.
-
AuthorPosts
This topic was marked as solved, you can't post.