Hi, We are using similar authentication, using static password from pam and then two factor from google authenticator. Works fine and user uses password like this: staticpart+googleauthcode (like this static124748) Eero Eero On Fri, May 18, 2018 at 5:24 PM Rothstein, Joseph < joseph.rothstein@roche.com> wrote:
I am trying to authenticate users on a FortiGate firewall against a Radius server with a custom PAM library. This PAM library is based on individuals enterprise username and a time-bound token which is validated by a key file installed on the server.
I have verified the library works for SSH authentication, however, this is generally done in two stages. First by entering a fixed username, and then the system re-prompts the user for his personal enterprise username for which the token was issued. For example (SSH client):
login as: standard username
Corporate ID: enterprise username Token: [time-round token]
The problem I have, is that the FortiGate GUI does not allow this secondary username/token entry.
I was wondering if there is a way of configuring this "standard username" in the "users" config file under the "Auth-type = PAM", and then passing the corporate credentials and token through to PAM, as this is all I really can enter in the FortiGate login GUI.
Any ideas would be appreciated.
Regards to all, -JR - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html