Separate pam modules for multiple clients

Fri Feb 9 22:52:11 CET 2018

On Feb 9, 2018, at 4:36 PM, Jeff McCarty <freeradius at jeff.tagcomp.com> wrote:
>> Which says to use the main "pam" module.  As the link above says, if you want to use different PAM modules, you need to use different names.
> 
> I didn’t know where else I could put it.

  It's not about where *else*.  It's about a *different name*.

  If you want it to use the "pam-one" module, you can't set "Auth-Type = pam", because the name "pam" isn't the same as the name "pam-one".  You must set "Auth-Type = pam-one" to use the pam-one module.

> I misunderstood. I thought that the default server provided default settings and that I only needed to provide settings that I wanted to change in the definition of my virutal server.

  Nothing in the documentation or examples says that.

  Read raddb/sites-available/README.  There is extensive documentation on how virtual servers work.

> I realized that I had commented out the virtual server line in the clients.conf file and forgot that I had never re-enabled it, so it’s only been using the default server.

  Which means it's only ever using the default policies.  Which means the "pam" module.

  To be honest, the simplest thing to do is to edit raddb/sites-enabled/default .  Look for the "authorize" section, and add this:

	if (Packet-Src-IP-Address == 192.168.0.1) {
		update control {
			Auth-Type := "pam-one"
		}
	}

  And then add similar ones for pam-two, etc.

  Then, make sure you list "pam-one", etc. in the "authenticate" section of that same file.

  Alan DeKok.