### Linux radius client

# Notes:
    For user authentication to a radius server,
    linux need the local user exist. The pam-radius
    module not create the local user automatically.
    To create the local user automatically:
        Enable the pam-radius module.
        Enable rsyslog and cron.
        The user try to login the first time (and fail).
        The the ssh daemon log the incident.
        Cron execute a script every minute:
            Read the log file and find the username.
            Verify the existence of the user with the radius server.
            Create the local user.
        The user can login now.

# Install libpam-radius-auth and radius-utils
    apt-get install libpam-radius-auth freeradius-utils

# Edit /etc/pam_radius_auth.conf
    Add the radius server:
        SERVER_IP_ADDRESS  PRESHARED-KEY  TIMEOUT

# Edit /etc/pam.d/sshd
# Edit /etc/pam.d/sudo
    First line add:
        auth sufficient pam_radius_auth.so

# Edit /etc/ssh/sshd_config
    Change:
        SyslogFacility LOCAL6
        LogLevel INFO

# Edit /etc/rsyslog.conf
    Add:
        local6.*    -/var/log/sshd.log

# Enable rsyslog and cron
    systemctl enable rsyslog.service
    systemctl enable cron.service

# Add the radius group
    addgroup --system radius

# Create the base dir for homes
    mkdir /radius
    chmod 755 /radius

# Create the script /usr/local/bin/userradius.sh
    Change RADIUSIP and RADIUSPSK

    #!/bin/bash
    RADIUSIP='RADIUS_IP_ADDR'
    RADIUSPSK='RADIUS_PASSWORD'
    SSHLOG='/var/log/sshd.log'
    PATH='/usr/sbin:/usr/bin:/sbin:/bin'
    DIRHME='/radius'
    LOGFILE='/var/log/radius.log'
    if [ -s "$SSHLOG" ]; then
        DNOW=`date '+%d/%m/%Y %H:%M:%S'`
        cat "$SSHLOG" | grep 'input_userauth_request' | sed -e 's/invalid user /|/' -e 's/ \[preauth\]/|/' | cut -d '|' -f 2 | tr '[A-Z]' '[a-z]' | tr -d '[:blank:]' | sort | uniq | while read NAMEUSR; do
            VALIDATE=`radtest "$NAMEUSR" 'DUMMYPASS' "$RADIUSIP" '1812' "$RADIUSPSK" 2> /dev/null | grep 'Bad Encrypted password'`
            if [ ! -z "$VALIDATE" ]; then
                if [ ! -d "${DIRHME}/${NAMEUSR}" ]; then
                    VALIDATE=`cat /etc/passwd | grep ^${NAMEUSR}`
                    if [ -z "$VALIDATE" ]; then
                        useradd -d "${DIRHME}/${NAMEUSR}" -g 'radius' -m -N -s '/bin/bash' "$NAMEUSR"
                        chmod 700 "${DIRHME}/${NAMEUSR}"
                        echo "${DNOW} - NAMEUSR creado: $NAMEUSR" >> "$LOGFILE"
                        chmod 600 "$LOGFILE"
                    fi
                fi
            fi
        done
        truncate -s 0 "$SSHLOG"
    fi

# Make script executable
    chmod 750 /usr/local/bin/userradius.sh

# Add the script to /etc/crontab
    * * * * * root /usr/local/bin/userradius.sh > /dev/null 2> /dev/null

# Reboot
