This is a simple and safe example on how to enable radius
authentication to the console login on a Debian system and
you are too lazy to read the USAGE documentation.

Edit /etc/pam.d/login

The default looks like:

[SNIP]

# Disallows other than root logins when /etc/nologin exists
# (Replaces the `NOLOGINS_FILE' option from login.defs)
auth       requisite  pam_nologin.so

# This module parses /etc/environment (the standard for setting
# environ vars) and also allows you to use an extended config
# file /etc/security/pam_env.conf.
# (Replaces the `ENVIRON_FILE' setting from login.defs)
auth       required   pam_env.so

# Standard Un*x authentication. The "nullok" line allows passwordless
# accounts.
@include common-auth

[SNIP]


Insert the following line:

auth       sufficient   pam_radius_auth.so

AFTER

auth       required   pam_env.so

and BEFORE

# Standard Un*x authentication. The "nullok" line allows passwordless
# accounts.
@include common-auth

so that it will looks like:

[SNIP]

# This module parses /etc/environment (the standard for setting
# environ vars) and also allows you to use an extended config
# file /etc/security/pam_env.conf.
# (Replaces the `ENVIRON_FILE' setting from login.defs)
auth       required   pam_env.so

##### RADIUS #####
auth       sufficient   pam_radius_auth.so

# Standard Un*x authentication. The "nullok" line allows passwordless
# accounts.
@include common-auth

[SNIP]

Try now to login in one of the consoles using the radius password.
If it fails the system will prompt again for a password. This time
provide the local one.

