AW: [EXTERNAL]: Re: FreeRADIUS / pam_radius

Senouci Briksi, Djelloul djelloul.briksi at
Wed Feb 16 14:57:07 UTC 2022

Thank for your quick answer.

Our use case is:
Freeradius server is configured with ldap, which holds users and their roles.
A role is e.g. 'admin' (who can do everything) or 'view' (who can only view/access some pages) or whatever.
The client (in our case witty-browser) knows how to react depending on user/role.
We had the idea to transmit/propagate the role as a Reply-Message to the client.
The client will get this information over conversation callback method.

I have found in book 'RADIUS, by Jonathan Hassell, O'reilly', that:
'Reply-Message' attributes are allowed in 'Access-Accept, Access-Reject, Access-Challenge'.

My idea is to do exactly what pam_radius_auth.c is doing when receiving Reply-Messages on PW_ACCESS_CHALLENGE, namely rad_converse(...), but this time also on PW_AUTHENTICATION_ACK.

Djelloul Briksi

-----Ursprüngliche Nachricht-----
Von: Freeradius-Devel < at> Im Auftrag von Alan DeKok
Gesendet: 16 February 2022 15:35
An: FreeRadius developers mailing list <freeradius-devel at>
Betreff: [EXTERNAL]: Re: FreeRADIUS / pam_radius

On Feb 16, 2022, at 8:43 AM, Senouci Briksi, Djelloul <djelloul.briksi at> wrote:
> We are using pam_radius to authenticate a witty http-browser (client) to a freeradius server.
> Our freeradius server is configured to send a dedicated/special Reply-Message when responding to an authenticate-request.

  OK.  Where do you think that Reply-Message will go?

> I have seen in pam_radius_auth.c<;!!NUSCbv4_!D-NLFfMPMk0GQ0ux8rDoWtHKO_eG0t2MlenP5LdAyrsUDIEZyvsO8wuBZr66nXBnTDPMyg$ > that Reply-Messages are only read as long as (response->code == PW_ACCESS_CHALLENGE).
> Reply-Messages are currently not read if (response->code == PW_AUTHENTICATION_ACK).
> Is there a reason why Reply-Messages are not read in this case?

  A better question is: What do you think the module should do with the Reply-Message?

  The module works as documented, and uses Reply-Message to do challenge / response prompting.

  If you want to do something else with Reply-Message, explain what you want to do.  And why.

  Alan DeKok.

List info/subscribe/unsubscribe? See;!!NUSCbv4_!D-NLFfMPMk0GQ0ux8rDoWtHKO_eG0t2MlenP5LdAyrsUDIEZyvsO8wuBZr66nXBC2cKkww$
This email and any attachments are only for use by the intended recipient(s) and may contain legally privileged, confidential, proprietary or otherwise private information. Any unauthorized use, reproduction, dissemination, distribution or other disclosure of the contents of this e-mail or its attachments is strictly prohibited. If you have received this email in error, please notify the sender immediately and delete the original. Neither this information block, the typed name of the sender, nor anything else in this message is intended to constitute an electronic signature unless a specific statement to the contrary is included in this message.

More information about the Freeradius-Devel mailing list