Is it possible to authenticate using RADIUS?
Moderators: ScalixSupport, admin
-
ts2136
Is it possible to authenticate using RADIUS?
Is it possible to authenticate users via RADIUS, and if so, how would I go about it?
-
florian
- Scalix
- Posts: 3852
- Joined: Fri Dec 24, 2004 8:16 am
- Location: Frankfurt, Germany
- Contact:
Absolutely; Scalix Authentication is based on PAM and there are PAM modules available for Radius - these are usually part of your Linux distribution.
Various services use different PAM config files; all of these can be found in /var/opt/scalix/sys/pam.d
ual.remote - Authentication for Outlook, SWA and IMAP clients
ual.local - Authentication for various command line clients (such as omtidyu)
pop3 - Authentication for POP3 clients
omslapdeng - Authentication of LDAP server
All these should usually be modified in parallel.
As RADIUS is delivered by a non-Scalix PAM module, one further thing needs to be looked at; Scalix hands over the username in "Scalix format", i.e. as a full X.400 string, including the mailnode, etc., and a lot of control characters. To convert the username into the Authentication ID, the om_om2authid PAM module must be used. Further information can be found in the modules manpage, but in principle, the following should be done:
1. Put the Radius username in the Authentication ID field of the user
ommodu -o lastname --authid radius_user_name
(or use the Advanced tab of the User Management portion of SAC to do that)
2. use the following - or similar - PAM configuration in ual.remote, etc.
auth required om_om2authid
auth required /lib/security/pam_radius.so
Hope this helps,
Florian.
Various services use different PAM config files; all of these can be found in /var/opt/scalix/sys/pam.d
ual.remote - Authentication for Outlook, SWA and IMAP clients
ual.local - Authentication for various command line clients (such as omtidyu)
pop3 - Authentication for POP3 clients
omslapdeng - Authentication of LDAP server
All these should usually be modified in parallel.
As RADIUS is delivered by a non-Scalix PAM module, one further thing needs to be looked at; Scalix hands over the username in "Scalix format", i.e. as a full X.400 string, including the mailnode, etc., and a lot of control characters. To convert the username into the Authentication ID, the om_om2authid PAM module must be used. Further information can be found in the modules manpage, but in principle, the following should be done:
1. Put the Radius username in the Authentication ID field of the user
ommodu -o lastname --authid radius_user_name
(or use the Advanced tab of the User Management portion of SAC to do that)
2. use the following - or similar - PAM configuration in ual.remote, etc.
auth required om_om2authid
auth required /lib/security/pam_radius.so
Hope this helps,
Florian.
Florian von Kurnatowski, Die Harder!
-
joel@open-unix.com
Clarification of RADIUS configuration directives
Could you please expand upon this a bit: I have followed your instructions to no avail. Additionally, there doesn't seem to be any good documentation on the authentication mechanisms and directives anywhere, could you offer a path to that as well?
Thanks!
Thanks!
-
florian
- Scalix
- Posts: 3852
- Joined: Fri Dec 24, 2004 8:16 am
- Location: Frankfurt, Germany
- Contact:
-
florian
- Scalix
- Posts: 3852
- Joined: Fri Dec 24, 2004 8:16 am
- Location: Frankfurt, Germany
- Contact:
if you refer to the general directives in the PAM config file, btw., I believe you'll have to google on linux pam - i seem to remember that redhat hosts the project and will also provide the doc pages on this; exept for the location of the config files, PAM is not Scalix-specific, but general Linux Admin Know-How, so we don't specifically document it, in particular not using authentication mechanisms such as Radius that we don't directly support; Scalix docs will have information on Kerberos and LDAP authentication.
Cheers,
Florian.
Cheers,
Florian.
Florian von Kurnatowski, Die Harder!
Who is online
Users browsing this forum: No registered users and 4 guests