Score:0

OTP before password with pam_radius and NPS

bd flag

I have successfully configured pam_radius on a Ubuntu client so that users are asked for an OTP. The radius server is an NPS with Azure MFA extension. The OTP is checked against Azure.

It works well, but I'd rather not send the user credentials to the NPS, so that only the OTP is checked. Also it would be nice to ask the user for OTP before the password.

I read elsewhere (https://learn.microsoft.com/en-us/answers/questions/20921/mfa-nps-error.html) that if we choose "Accepting users without validating credentials" on the NPS (in addition to "skip_passwd" on pam_radius_auth configuration), this would work - but it doesn't.

Is this because pam_radius will always try to authenticate with both password and OTP? Or maybe NPS will always ask for a password? But on the other hand, on pam_radius_auth documentation it says that skip_pass will send a null as password in that case, so why am I still asked for the password?

Best, Francis

donpop avatar
kr flag
Francis, do you mind sharing your code ?
bd flag
Hi @donpop! Which code? `pam_radius` is available on net. Do you mean its configuration?
Score:0
dz flag

Would you be able to share the steps you followed to do this? I am currently trying to do the exact same thing. We already have mfa with ms authenticator set up for our office online/exchange/vpn stuff, but we would also like to implement this on our ubuntu desktop GUI.

I've been able to implement the google pam authenticator locally on each system with the ms authenticator app, but that involves adding a new account to the app, and I'd like to use the current mfa already in use by users.

We have the radius/ntp/azure in place already, I just don't know what I need to do on the ubuntu desktop side to get it connected to it.

bd flag
Hi! You did the hard part, then. What you gotta do is to install [pam_radius](https://github.com/FreeRADIUS/pam_radius), then configure it to talk to the NPS server. Basically this mechanism involves having a pam client on each linux you want to authenticate to against the Azure 2FA. But this was to log in on the terminal, I haven't tested on the Desktop.
gg flag
This does not really answer the question. If you have a different question, you can ask it by clicking [Ask Question](https://serverfault.com/questions/ask). To get notified when this question gets new answers, you can [follow this question](https://meta.stackexchange.com/q/345661). Once you have enough [reputation](https://serverfault.com/help/whats-reputation), you can also [add a bounty](https://serverfault.com/help/privileges/set-bounties) to draw more attention to this question. - [From Review](/review/late-answers/539831)
Score:0
bd flag

Just got what was wrong: ticking at "Accept users without validating credentials" did the trick. I was mistaken that with "Allow clients to connect without negotiating an authentication method" under Authentication settings. It now works as desired.

I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.