Configuring PAM Authentication to failback to local authentication if external 2-Factor Authentication server is unavailable
Issue
- Two-Factor Authentication (2FA) has been properly configured with a Radius server for
sudoandsuusingpam_radius_auth.soin/etc/pam.d/sudo - If the 2FA Radius server is ever down, all authentication goes down
- If the 2FA Radius server is working but a user fails authentication, they are still presented with a prompt for local authentication (2FA isn't a strict requirement)
We would like a configuration that operates in the following manner:
1. If the 2FA server is operational, we want to make 2FA the only requirement and skip local authentication
2. We would like to have failover to local authentication, skipping 2FA, if the Radius server is down
Environment
Red Hat Enterprise Linux
PAM Authentication
Radius Authentication (or another 2-Factor Authentication service)
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
