The Defender PAM uses a PAM RADIUS Access Control List file (/etc/pam_radius_acl.conf) to determine which service/user combinations will be authenticated by the Defender PAM.
The Access Control file should contain a list of <servicename>:<username> pairs (one line per entry), to indicate which service/user combinations require Defender authentication. The <servicename> and/or <username> may be substituted with an asterisk (*) or left blank to indicate a wildcard (all users or services).
If the pam_radius_acl.conf does not exist, then all users must authenticate via Defender.
To configure this... |
Do this... |
All users must authenticate via Defender for all Defender PAM-enabled services. |
Use a single entry with wildcards for both <servicename> and <username>. Example 1
Example 2
|
All users must authenticate via Defender for a specific service. |
Use a wildcard for the <username>. Example 1
Example 2
|
Specific users must authenticate via Defender for all services. |
List individual users, but specify a wildcard for the <servicename>. Example 1
Example 2
|
Specific users must authenticate via Defender for specific services. |
List individual users and services without using wildcards. Example
|
No users require authentication via Defender. |
Ensure that the /etc/pam_radius_acl.conf file exists, but remove all entries from the file. |
The following is an example pam_radius_acl.conf file:
upm:*
telnet:
:john
*:sally
login:david
In this example, all users accessing the service upm
or telnet
must authenticate via Defender. Users john
and sally
must authenticate via Defender for every service. User david
must authenticate via Defender for the login
service only. Any servicename:username combination not listed in the file does not require users to authenticate via Defender.
You should ensure that for each service specified in the pam_radius_acl.conf file there is a valid system PAM configuration for that service as described in Step 1: Enable authentication for target service.