Multi-stage PAM authentication
Rothstein, Joseph
joseph.rothstein at roche.com
Fri May 18 16:20:28 CEST 2018
I am trying to authenticate users on a FortiGate firewall against a Radius
server with a custom PAM library. This PAM library is based on individuals
enterprise username and a time-bound token which is validated by a key file
installed on the server.
I have verified the library works for SSH authentication, however, this is
generally done in two stages. First by entering a fixed username, and then
the system re-prompts the user for his personal enterprise username for
which the token was issued. For example (SSH client):
login as: standard username
Corporate ID: enterprise username
Token: [time-round token]
The problem I have, is that the FortiGate GUI does not allow this secondary
username/token entry.
I was wondering if there is a way of configuring this "standard username"
in the "users" config file under the "Auth-type = PAM", and then passing
the corporate credentials and token through to PAM, as this is all I really
can enter in the FortiGate login GUI.
Any ideas would be appreciated.
Regards to all, -JR
More information about the Freeradius-Users
mailing list