Skip to main content
Skip table of contents

MacOS User Login through Radius with PAM Module

This is a Video presentation with a working user login for MacOS through Radius.

Local setup for MacOS

In order to use that, make sure you have a mobile device enrolled on that environment for PUSH authentication.

  1. Create a local user with the same username as the one from AD

  2. Download, build and install the FreeRADIUS PAM module

  3. Configure the RADIUS PAM module to connect to the Freeradius Server

  4. Integrate the RADIUS PAM module into OS login areas

1. Create a local user with the same username as the one from AD

CODE 
sudo useradd -m username  OR   sudo dscl . -create /Users/username
sudo dscl . -create /Users/username UserShell /bin/bash
sudo dscl . -create /Users/username RealName "User Name"
sudo dscl . -create /Users/username UniqueID 599 (enter a unique ID that is not already taken)
sudo dscl . -create /Users/username PrimaryGroupID 20
sudo dscl . -create /Users/username NFSHomeDirectory /Users/username

2. Download and Install RADIUS PAM

  1. Download and extract the PAM Authentication and Accounting module. This will be in the form of a TAR GZip file, e.g. pam_radius-release_3_0_0.tar.gz

  2. Make sure you have a compiler

    1. run brew install gcc

  3. To build the .so library, open a Terminal window, unzip the downloaded archive, change the directory to the unzipped folder and run the following commands:

    CODE 
    ./configure
make

  4. Copy the compiled library to the /usr/local/lib folder (probably requires sudo access). If the /lib folder is nor present in /usr/local then create it :

    CODE 
    #create /usr/local/lib folder if it doesn't exist
mkdir /usr/local/lib
# copy compiled library in the created folder
cp pam_radius_auth.so /usr/local/lib/pam_radius_auth.so

3. Configure the RADIUS PAM client and server

  1. Create a server configuration file called pam_radius_auth.conf on your Mac (sudo su) device in /etc/ ( /etc/pam_radius_auth.conf )

CODE 
vim /etc/pam_radius_auth.conf

  1. Add your freeradius server details using the following format

    CODE 
    #[radius-server]{:[port]} [shared-secret] [timeout]
IPWEBAPP1:1812           PasspordFromVeridium    30
IPWEBAPP2:1812           PasspordFromVeridium    30

IPWEBAPP1 and 2 are the IPs of veridium server.

PasspordFromVeridium is the password configured for this configuration in veridium. Please see this link on how to configure a freeradius veridium client: https://docs.veridiumid.com/docs/v3.7.2/freeradius-service-configuration

4. Integrate the RADIUS PAM client with OS logins

PAM modules may be integrated into various login types, e.g. OS login, sshd, su, sudo etc. The list of login types available for the target OS is located at /etc/pam.d/. Each file in the /etc/pam.d/ folder must be configured for PAM as required. Care must be taken when doing different settings may be required for different components, and some may not need to be configured at all. Modify the appropriate file to integrate the RADIUS PAM module with a specific login type.

Common files to edit are:

File name

Detail

/etc/pam.d/sshd

Secure Shell (SSH) logins. Ensure Remote Logins are enabled in macOS System Preferences.

/etc/pam.d/sudo

SUDO command line / terminal access.

/etc/pam.d/authorization

OS Logon screen

/etc/pam.d/screensaver

OS unlock screen

Make sure that the machine has access to the Freeradius server. Veridium Freeradius service is not available on internet, but just on intranet. Changing the Logon and Unlock modules can block the user access to the machine when there is no access to the Freeradius server (e.g. if the Freeradius is available only through VPN)

Editing the files in the /etc/pam.d/ folder involves added a new line to specify in what conditions RADIUS PAM should be used in the following format.

CODE 
auth [control] /usr/local/lib/pam_radius_auth.so [options]

Care should be taken to add the correct control value for the platform and login type. Details of each control and their behavior is as follows:

  • required

    • All required modules in a file must pass for a successful result. If one or more of the required modules fail, all of the required modules in the file will be attempted, but the error from the first failed required module is returned.

  • requisite

    • Similar to required except that if a requisite module fails, no further modules in the file are processed and it immediately returns the first failure code from a required or requisite module.

  • sufficient

    • If a module flagged as sufficient succeeds and no previous required or sufficient modules have failed, all remaining modules in the file are ignored and success is returned.

  • optional

    • If none of the modules in the file are required and no sufficient modules have succeeded, then at least one optional module for the service must succeed. If another module in the file is successful, a failure in an optional module is ignored.

For example, to add RADIUS PAM as a sufficient authentication type to macOS Desktop SUDO add the following line (line no. 3) to the sudo file on macOS:

CODE 
auth       include        sudo_local
auth       sufficient     pam_smartcard.so
auth       sufficient     /usr/local/lib/pam_radius_auth.so force_prompt prompt=veridium
auth       required       pam_opendirectory.so
account    required       pam_permit.so
password   required       pam_deny.so
session    required       pam_permit.so
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close