On Dec 5, 2018, at 2:42 AM, Deepak Kumar Bhagat <Deepak.Bhagat@radisys.com> wrote:
I have a requirement to authenticate and authorize users for management access to the device using Radius Protocol. I'm using Linux PAM module (pam_radius_auth.so) for Radius client support and freeRADIUS as Radius server. I have written sample PAM-enable application (check_user) to test the same. I could successfully test user authentication using my application.
That's good.
As part of user authorization, I'm sending 'Management-Privilege-Level (136)' RFC 5607 attribute in 'Access-Accept' and Intend to use the same at the device to give different management access to the user. Different Management-Privilege-Level (MPL) levels are mapped as below.
MPL Access Level 1 Root user (read, write, exec) 2 Read only user (read) 3 Deny access (null)
Is there a way to fetch/read/pass this attribute from pam_radius_auth.so to my PAM-enable application??
Not in the current module.
I checked pam_radius_auth.so source code, It seems it doesn't read any attribute from 'Access Accept' received from the server, if that is the case then how can we enable 'PAM Authentication Module' to read the authorization attributes received in the response??
Source code patches.
Or, Can someone suggest how can we achieve user authorization using PAM Authentication module?? One relevant reference form the mail list is https://www.redhat.com/archives/pam-list/2001-March/msg00056.html, but it seems the code changes are not included in the module.
If you can update the patch for the current module, I can add it in. Alan DeKok.