Two factor authentication with radius

Forum / NoMachine for Linux / Two factor authentication with radius

Tagged: 

Viewing 9 posts - 1 through 9 (of 9 total)
  • Author
    Posts
  • #20835
    drobson
    Participant

    I’ve been running a NoMachine server with two factor authentication using securid.  It all works OK.  I just edit /etc/pam.d/nx and insert an “auth” line for pam_securid, and then NoMachine prompts me for an authentication code after I have entered my Linux password

    However, I now need to swap to using a radius server.  I’ve installed and configured pam_radius, and have swapped my pam_securid entry in /etc/pam.d/nx for a pam_radius entry.  Now when I connect and enter my Linux password, I don’t get a prompt for a radius code, it just sits in a loop.

    I know my radius setup is OK because I can make ssh work with it.  However, when i look in the logs, there are no radius entries (I’m running pam_radius with the “debug” option).

    Has anyone got NoMachine working with radius?   I’m using NoMachine Enterprise Terminal Server 6.0.66-8.x86_64

    Thanks in advance

    #20852
    og00r
    Contributor

    It looks like problem similar to
    https://www.nomachine.com/TR11P08977
    Did you try with the latest release NoMachine 6.4.6?

    #20855
    drobson
    Participant

    I’ve upgraded to NoMachine-Enterprise-Terminal-Server-6.4.6-25.x86_64, and my /etc/pam.d/nx now reads …

    auth       include       su
    auth       required      pam_radius_auth.so retry=3 force_prompt debug
    account    include       su
    password   include       su
    session    optional      pam_loginuid.so
    session    include       su

    i.e, it is as supplied with the rpm, but i have added the pam_radius line.

    However, it acts the same as before.  It prompts for and accepts my Linux prompt, but then just spins in a loop.  It must have talked to our radius server, because I get an authentication code as an SMS message.  However NoMachine does not prompt me for the code.

    Interestingly, although I have the debug code in my pam set up, there is no logging from pam_radius in my syslog, although I do get it when I am using ssh with pam_radius.

    Note, I am using pam_radius-1.4.0-2.el7.x86_64

     

    #20859
    og00r
    Contributor

    Are you connecting through protocol NX? If yes, then please enable nxserver logs, reproduce issue (try to connect), gather and send logs.

    Here are the instructions for how to do this:
    https://www.nomachine.com/DT10O00163#1

    Also try with protocol SSH (in nxplayer -> connection settings). Behaviour should be different.
    If protocol SSH fails also, then could you paste here output of ‘ssh username@localhost’?

    #20860
    drobson
    Participant

    If I trace the nxserver.bin process during the authentication, I can see that is is receiving a prompt from the radius server.  It just isn’t translating this into a gui entry box

    [pid 24403] write(1, “Enter Your Microsoft verification”…, 39) = 39

     

    #20867
    drobson
    Participant

    The logs  follow…  The penultimate line shows that nxexec receives a promote from the radius server, but nx doesn’t then produce a dialog box for me to enter the code.

     

     

     

    #20876
    og00r
    Contributor

    Did you try with protocol SSH? In nxplayer window right click on connection – > edit connection -> protocol -> ssh.

    As I understand Linux is radius client. What is radius server? Windows server with configured nps or maybe Azure cloud?

    #20878
    drobson
    Participant

    The radius server is NPS.  However, I have come across this which implies that NPS isn’t capable of processing Access-Challenge RADIUS responses.  Therefore phone call and mobile app push notifications should work fine, but neither SMS nor mobile app verification codes (OTPs) will work because we don’t have a way to challenge the user for their OTP, which is the purpose of the Access-Challenge response.

     

    Maybe using ssh rather than nx protocol is the way to go.  I’ll have a play …

    #20937
    og00r
    Contributor

    A Trouble Report has been created:
    https://www.nomachine.com/TR12P09054

    You wrote “Maybe using ssh rather than nx protocol is the way to go.  I’ll have a play …”: so ssh is working correctly?

    We are sending you a test library by email, if you want to have a try.

Viewing 9 posts - 1 through 9 (of 9 total)

This topic was marked as solved, you can't post.