pam_auth_radius - fallback with localifdown?

Martin Richard martin.richard at
Wed Jun 23 17:44:08 CEST 2010

On Wed, Jun 23, 2010 at 4:13 AM, Alan DeKok <aland at>wrote:

> >   I do not think pam_radius_auth is behaving wrongly - looking at the
> > code is simple enough, I do get "All RADIUS servers failed to respond"
> > in the SYSLOG, so it should clearly be returning PAM_IGNORE as
> documented.
>   Double-check that it's returning PAM_IGNORE.  Maybe source code mods
>  If it is returning PAM_IGNORE, then it's a PAM problem.  Ask the
> question again on the PAM list.
  I've added logging at the end of talk_radius() to confirm that it was
returning PAM_IGNORE, and it was indeed the case. I posted to the pam list,
where someone suggested I used pam_debug to see how the stack reacted to

auth        required auth=ignore
auth        required      /lib/security/$ISA/
auth        sufficient    /lib/security/$ISA/ debug audit
likeauth nullok
auth        required      /lib/security/$ISA/
auth       required

  I can indeed login with the local auth via pam_unix in this case, so I'm
back at looking at the module's code.. I know talk_radius() is returning
PAM_IGNORE, here's the very last part of the function with my mod:

  if (!server) {
    _pam_log(LOG_ERR, "All RADIUS servers failed to respond.");
    if (conf->localifdown) {
      _pam_log(LOG_ERR, "Retval = PAM_IGNORE");
      retval = PAM_IGNORE;
    } else
      retval = PAM_AUTHINFO_UNAVAIL;
  } else {
    retval = PAM_SUCCESS;

  return retval;

  I'll have a look at the rest of the flow, see if it could have been
overriden elsewhere after that call.. I've never coded a pam module, am I
correct to guess that since I'm calling the module with an auth call from
the stack I should be looking at pam_sm_authenticate() ?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list