pam_auth_radius - fallback with localifdown?

Martin Richard martin.richard at
Wed Jun 23 20:33:16 CEST 2010

On Wed, Jun 23, 2010 at 4:13 AM, Alan DeKok <aland at>wrote:

>  Double-check that it's returning PAM_IGNORE.  Maybe source code mods
>  If it is returning PAM_IGNORE, then it's a PAM problem.  Ask the
> question again on the PAM list.
  Found my problem.

  The pam_sm_authenticate() does return PAM_IGNORE with localifdown, as
expected. Added a lot of logging including the final return value
(PAM_IGNORE / 25). I had also tested that the stack was dealing with the
ignore properly by using So my stack for 'auth' as originally
posted works as expected, so I'm quite happy with the fallback setup.

  What was failing pseudo silently was the call to pam_sm_open_session() (or
rather pam_private_session()). I only had this single module listed in the
pam conf file, and since nothing was logged, I didn't catch on the fact that
my login failures were coming from the 'session' part. Since no success was
returned and it was my only line for PAM, it failed and I couldn't logon if
the radius servers were unreachable.

  Time permitting I might submit a patch to add some logging to
pam_private_session, if there would be interest from the dev team ?

  Thanks a lot for the infos and replies.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list