Configure Mideye MFA for Linux SSH & sudo via PAM RADIUS

This guide describes how to configure Linux SSH and sudo authentication to use Mideye Server for multi-factor authentication via the PAM RADIUS module (pam_radius_auth).

After completing the steps below, users connecting via SSH will be prompted for a second authentication factor through the Mideye Server.

Component	Details
PAM module	pam_radius_auth (FreeRADIUS pam_radius)
Linux distributions	RHEL / CentOS / Rocky Linux / AlmaLinux (yum/dnf), Debian / Ubuntu (apt)
Mideye Server	5.x / 6.x

Prerequisites

• A running Mideye Server with RADIUS enabled (default UDP port 1812)
• The Linux server must be added as a RADIUS client in Mideye Server
• Root or sudo access on the Linux server
• Network connectivity from the Linux server to Mideye Server on UDP port 1812
• User accounts must exist in both the Linux server and the Mideye user repository (Active Directory, LDAP, or local database)

1. Install the PAM RADIUS module

Install the pam_radius package from the EPEL repository:

yum -y install epel-release
yum -y install pam_radius

Debian / Ubuntu

On Debian-based distributions, use:

apt-get install libpam-radius-auth

The configuration file path is /etc/pam_radius_auth.conf instead of /etc/pam_radius.conf.

For more information on the PAM RADIUS module, refer to the FreeRADIUS pam_radius GitHub repository and the USAGE documentation.

2. Configure pam_radius.conf

Edit /etc/pam_radius.conf and add the Mideye Server connection details in the following format:

# server[:port]      shared_secret      timeout (s)
10.10.20.30          supersecretsecret  35

Setting	Value
Server address	IP address of the Mideye Server
Shared secret	Must match the RADIUS client configuration in Mideye Server
Timeout	35 seconds — required for MFA flows

Caution

The timeout must be at least 35 seconds. A lower value may cause the session to expire before the user has time to enter an OTP or approve a push notification.

For full configuration options, see the pam_radius_auth.conf sample.

Save the changes.

3. Configure PAM for SSH

Edit /etc/pam.d/sshd and add the RADIUS authentication line after pam_sepermit.so:

auth   sufficient   pam_radius_auth.so client_id=LinuxPAM

The client_id parameter sets the NAS-Identifier sent to Mideye Server. This must match the NAS-ID configured in the Mideye RADIUS client.

Example /etc/pam.d/sshd configuration:

#%PAM-1.0
auth    required     pam_sepermit.so
auth    sufficient   pam_radius_auth.so client_id=LinuxPAM
auth    substack     password-auth
auth    include      postlogin

For more on the client_id and other parameters, see the pam_radius USAGE documentation.

Save the changes.

4. Enable Challenge-Response in SSH

Edit /etc/ssh/sshd_config and enable Challenge-Response authentication:

ChallengeResponseAuthentication yes

If the line exists with no, change it to yes. If it is commented out, uncomment and set to yes.

Save the changes.

5. Restart the SSH service

systemctl restart sshd

6. Add Linux users

User accounts must exist on the Linux server, even though passwords are managed by Mideye Server (via Active Directory, LDAP, or local database).

For a user with LDAP username testuser@company.com, create a local account using just the username:

adduser testuser

Caution

Do not set a local password for the user. The password in the Mideye Server user repository will be used for authentication.

Troubleshooting

Symptom	Check
SSH times out before OTP entry	Verify timeout in /etc/pam_radius.conf is set to at least 35 seconds
Authentication fails immediately	Verify shared secret matches between /etc/pam_radius.conf and Mideye Server RADIUS client
No RADIUS logs in Mideye Server	Verify UDP port 1812 is open between the Linux server and Mideye Server
OTP prompt does not appear	Verify ChallengeResponseAuthentication yes is set in /etc/ssh/sshd_config and SSH is restarted
User not found	Verify the Linux user exists (id testuser) and the username matches the Mideye user repository
client_id mismatch	Verify the NAS-ID in /etc/pam.d/sshd matches the NAS-ID in the Mideye RADIUS client configuration

Related links

Mideye documentation

• RADIUS Clients — add the Linux server as a RADIUS client in Mideye Server
• RADIUS Integrations — authentication flows and supported auth types
• Authentication Types — all supported Mideye authentication methods
• RADIUS Timeout — how the timeout affects authentication
• Support Center — contact Mideye support for integration assistance

External documentation

• FreeRADIUS pam_radius GitHub repository — source code and documentation
• pam_radius USAGE documentation — all module parameters
• pam_radius_auth.conf sample — configuration file reference