On all of our linux workstations, we have configured the PAM modules to use radius authentication. This works well for all of the various things like login on the console, login using ssh, sudo, etc. But, it doesn't work with the screensaver/screenlock. When we try to use it, the screen never prompts for a password.
After researching the problem, it seems that the screenlock program needs to be able to read the radius authentication shared secret. But, if you make that file world readable, that defeats some of the security of radius authentication. I've messed with setuid and setgid, both without success. So, I'm stumped, and I just disable radius authentication.
How can I set up radius authentication properly?