pam_auth_radius

Alan DeKok aland at deployingradius.com
Thu Feb 17 10:24:50 CET 2011


Marc Phillips wrote:
> For this new appliance, I'd like to use Radius, but I don't want
> to manage users or what groups they belong to on the device itself.
> I'd like to have the users auth against Radius and then apply a
> group based on an attribute recieved.

  I'd like that, too.

> I've done a little looking and I see no group support for 
> pam_auth_radius.  One thought I had was to add some sort of auto
> provision function to the pam module to add the user and associate
> that user with a group via the supplied attribute from radius, then
> remove the user on logout.

  That might work, but I have no idea how to do that.

  You will likely need a "nss_radius" module (e.g. /etc/nsswitch.conf)
However... it's been 10+ years that people have been talking about it,
and no one has done anything.  Part of the reason is that NSS is
incredibly strange, and I've never been able to figure it out.

  Alan DeKok.



More information about the Freeradius-Users mailing list