How to handle challenge response using PAM auth in FreeRadius

John Dennis jdennis at
Tue Mar 16 16:12:37 CET 2010

On 03/15/2010 02:32 PM, Rajendra Hegde wrote:
> pam_conv is good for holding interactive conversation locally for
> applications
> such as login, su etc.
> When used with radius server pam_conv failed to do prompt at remote_client.
> Please note that we are not interested in local convesation where PAM is
> located.
> The remote client I have used is one of the test applications from the
> radius suite.
> Let me aks you further.
> note: A and B are machines.
> {client @ A} ---> {radius at B} --> {PAM @ B}
> Now when I tested as said above, a call to pam_conv in PAM module at
> machine B
> did nothing. Are you sure it does prompt with a message at client @ A ?
> I look forward to your reply.
> Thanks,

O.K. That's part of the information I was trying to get you to reveal. 
You're talking about the client on the other side of the radius protocol 
and you're not talking about the pam conversation at the radius server.

If you want to send a challenge to the client you can emit a 
ACCESS-CHALLENGE packet along with a reply-message. See 
src/modules/rlm_example/rlm_example.c for an example of how to do this. 
You'll still need to use pam_conv and I think you'll need some way to 
retain state. Also not all clients support access-challenge and if they 
don't they're allowed to assume they received auth-reject when they 
receive access-challenge.

John Dennis <jdennis at>

Looking to carve out IT costs?

More information about the Freeradius-Users mailing list