Multi-stage PAM authentication

Rothstein, Joseph joseph.rothstein at
Tue Jun 12 18:07:04 CEST 2018

Thanks to all for responses.

We have developed a token-based PAM library to perform authentication on
stand-alone systems. Tokens are requested from a corporate portal, and are
issued for a specific user, device, and time period. Each group os devices
has their own key, and this key is then used to "de-crypt" the token and
confirm validity period.

We would like to adapt this PAM library to support FortiGate admin
logon against a radius server with the PAM module installed.

I have seen a couple of screenshots of Token challenges on the FortiGate
(specifically from Centrify Howto), so I have to assume that this works.

I can authenticate against FreeRadius with static usernames and passwords
without issue.

Thanks, Joe

On Fri, May 18, 2018 at 4:35 PM, Alan DeKok <aland at>

> On May 18, 2018, at 10:20 AM, Rothstein, Joseph <
> joseph.rothstein at> wrote:
> >
> > I am trying to authenticate users on a FortiGate firewall against a
> Radius
> > server with a custom PAM library.  This PAM library is based on
> individuals
> > enterprise username and a time-bound token which is validated by a key
> file
> > installed on the server.
>   What exact piece does what?  i.e. what packets get sent where?  The
> above description isn't clear.
> > I have verified the library works for SSH authentication, however, this
> is
> > generally done in two stages. First by entering a fixed username, and
> then
> > the system re-prompts the user for his personal enterprise  username for
> > which the token was issued.
>   The pam_auth_radius module from the FreeRADIUS project does
> challenge-response just fine.
> > The problem I have, is that the FortiGate GUI does not allow this
> secondary
> > username/token entry.
>   One solution then is to fix the Fortunate GUI... you can't really fix a
> third-party product by poking FreeRADIUS.
> > I was wondering if there is a way of configuring this "standard username"
> > in the "users" config file under the "Auth-type = PAM", and then passing
> > the corporate credentials and token through to PAM, as this is all I
> really
> > can enter in the FortiGate login GUI.
>   Maybe... but this is all a vague description.  Please describe the
> system in more detail.
>   What people *normally* do with things like RSA is to have the user enter
> the password as the 6-digit OTP, followed by their own custom password.
>   FreeRADIUS then splits the password into two fields.  Then checks the
> RSA token against RSA, and the users password against the user database.
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> list/users.html

*Joseph Rothstein*
Senior Security Architect

Roche Diagnostics International AG
Forrenstrasse 2
CH-6343 Rotkreuz

Tel.: +41 41 792 5556
Mobile: + 41 79 900 2508

mailto: joseph.rothstein at

More information about the Freeradius-Users mailing list