The Defender PAM communicates with the Defender Security Server via the RADIUS protocol. The communication details for the Defender Security Server must be specified in the /etc/defender.conf file. This file must be readable by all.
The entries in the file must have the following format:
<hostname>:<portnumber> <sharedsecret> <timeout>
where
You can specify more than one RADIUS server in the file. The Defender PAM attempts to connect to the servers in the order they are listed.
The following example enables the Defender PAM to communicate with the RADIUS server on host dss.example.com, port 1645, with shared secret shared_secret, and timeout of 3 seconds:
dss.example.com:1645 shared_secret 3
The Defender PAM uses a PAM RADIUS Access Control List file (/etc/pam_radius_acl.conf) to determine which service/user combinations will be authenticated by the Defender PAM.
The Access Control file should contain a list of <servicename>:<username> pairs (one line per entry), to indicate which service/user combinations require Defender authentication. The <servicename> and/or <username> may be substituted with an asterisk (*) or left blank to indicate a wildcard (all users or services).
If the pam_radius_acl.conf does not exist, then all users must authenticate via Defender.
|
To configure this... |
Do this... |
|
All users must authenticate via Defender for all Defender PAM-enabled services. |
Use a single entry with wildcards for both <servicename> and <username>. Example 1
Example 2
|
|
All users must authenticate via Defender for a specific service. |
Use a wildcard for the <username>. Example 1
Example 2
|
|
Specific users must authenticate via Defender for all services. |
List individual users, but specify a wildcard for the <servicename>. Example 1
Example 2
|
|
Specific users must authenticate via Defender for specific services. |
List individual users and services without using wildcards. Example
|
|
No users require authentication via Defender. |
Ensure that the /etc/pam_radius_acl.conf file exists, but remove all entries from the file. |
The following is an example pam_radius_acl.conf file:
upm:*
telnet:
:john
*:sally
login:david
In this example, all users accessing the service upm or telnet must authenticate via Defender. Users john and sally must authenticate via Defender for every service. User david must authenticate via Defender for the login service only. Any servicename:username combination not listed in the file does not require users to authenticate via Defender.
You should ensure that for each service specified in the pam_radius_acl.conf file there is a valid system PAM configuration for that service as described in Step 1: Enable authentication for target service.
You may need to add or modify Defender objects in Active Directory so that your UNIX/Linux system can use Defender authentication. You should ensure that an Access Node is defined for your UNIX/Linux system in the Defender configuration and that the Access Node is assigned to the Defender Security Servers listed in the /etc/defender.conf file.
Also, ensure that your UNIX users are defined in Active Directory, have tokens assigned to them, and are included under the Members tab of the Access Node object corresponding to your UNIX system.
You can test the configuration of the Defender PAM by using a test tool that is installed together with the Defender PAM. You can find this tool in /opt/quest/libexec/defender/check_pam_defender.
The test tool requires two arguments: the user name to test and the name of service for which you want to test Defender authentication. The test tool attempts to access the Defender Security Servers configured in your environment, and if one or more servers are accessible, the tool attempts to authenticate the specified user via Defender by using the Defender PAM. Then, the tool reports the result.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. 使用条款 隐私 Cookie Preference Center
