Description

This article applies to BoKS Manager 7.1.

Authentication with an external Radius server is not supported.

Resolution / Workaround

To add support for authentication via an external Radius server, please download and install HFBM-0234 from the HelpSystems Community Portal.

This hotfix adds basic Radius support as an authentication method. On each BoKS host using this authentication method one or more Radius servers must be listed in a configuration file. By default this is $BOKS_etc/radiusclient/server. The format of each line in this file is

host[:port] []
e.g. radius.my.dom testing123

A different file can be pointed at in $BOKS_etc/ENV using the variable BOKS_RADIUS_CONFIG_FILE. This is often named /etc/raddb/server or /etc/pam_radius_auth.conf on some systems. In addition, a FreeRADIUS-style configuration file can be used by setting BOKS_RADIUS_CONFIG_TYPE=radiusclient in $BOKS_etc/ENV. This is often the file /etc/radiusclient/radiusclient.conf. See the FreeRADIUS documentation for information about the configuration. A radius authenticator is assigned to a user using the command authadm, e.g.

BoKS # authadm set -u ALL:someuser -t radius

The Radius server is called with the BoKS "to-user" or "from-user" name, depending on the method in the Access Rule. The Radius user name can also be set explicitly for the authenticator with the -d flag, e.g.

BoKS # authadm set -u ALL:boksname -t radius -d user=radiusname

An Access Rule is set to use Radius using the -f flag, either "radius" or "hardradius", e.g.

BoKS # boksrule -a -l ALL:someuser -m SSH_ALL -S 'ANY/*' -D '*' -f hardradius

Note 1: Radius authentication is not supported for xlock.
Note 2: Installing this hotfix will not enable Radius authentication management
for users in FCC, it only only adds support to do this on the command line. However

the FCC maintenance release 7.1.0.2 adds support for this if the hotfix is applied.


Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: May 25, 2018