From a switch that the device is plugged directly into (otherwise you’ll get the MAC of the next hop) first ping the IP address to ensure it’s in your ARP cache, then view the ARP cache, like so ping 192.168.1.1 show ip arp | i 192.168.1.1
The pipe i just ensures you only see the info you’re after. If you’re doing this on a switch with many devices it’s handy to pear it down to just what you need.
Configure libpam-radius-auth with your radius servers and secrets sudo pico /etc/pam_radius_auth.conf
Set permissions on /etc/pam_radius_auth.conf sudo chmod 0600 /etc/pam_radius_auth.conf
Add auth sufficient pam_radius_auth.so to /etc/pam.d/login and then the following as desired just above the line reading @include common-auth /etc/pam.d/sshd
Add try_first_pass to auth line in /etc/pam.d/common-auth auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass
Make user locally with disabled password sudo useradd -m USERNAME
or to add a user and add to the sudo group sudo useradd -m -G sudo USERNAME
The one caveat that I’ve found with this is that when logging in with local users to the local console you are prompted for a password twice, this is fixed via step 5 but note that if you run pam-auth-update this change will be overwritten.