Multi-stage PAM authentication

Rothstein, Joseph joseph.rothstein at roche.com
Fri May 18 16:20:28 CEST 2018


I am trying to authenticate users on a FortiGate firewall against a Radius
server with a custom PAM library.  This PAM library is based on individuals
enterprise username and a time-bound token which is validated by a key file
installed on the server.

I have verified the library works for SSH authentication, however, this is
generally done in two stages. First by entering a fixed username, and then
the system re-prompts the user for his personal enterprise  username for
which the token was issued. For example (SSH client):

login as:   standard username

Corporate ID: enterprise username
Token:  [time-round token]

The problem I have, is that the FortiGate GUI does not allow this secondary
username/token entry.

I was wondering if there is a way of configuring this "standard username"
in the "users" config file under the "Auth-type = PAM", and then passing
the corporate credentials and token through to PAM, as this is all I really
can enter in the FortiGate login GUI.

Any ideas would be appreciated.

Regards to all, -JR


More information about the Freeradius-Users mailing list