pam_radius_auth query

Alan DeKok aland at deployingradius.com
Sat Feb 26 08:50:53 CET 2011


vijay s sheelavantar wrote:
> Marc and Alan Thanx for the reply .

  (1) Don't reply to digest emails.  It breaks the threading

  (2) edit your posts.  Including hundreds of lines of irrelevant text
is annoying.

> What I exactly mean by authorization is Management-Privilege-Level which
> is defined in RFC 5607, 

  Which was published many, many, years after the last release of the
PAM RADIUS module.

  And why couldn't you say that in the first message?

> If a user belongs to certain group and have the previlege level
> (security admin or administrator) then only he can execute certain
> commands on the NE.
> right now PAM module is doing this in my NE. I want it to be done by
> Radius server.

  This isn't how PAM works.  Individual commands are not seen by the PAM
module.

> Now pam_radius_auth module sends "authentication only" in request
> message so, the server is not doing authorization it seems.

  The documentation says what it does.  The documentation doesn't say it
does authorization.  There is no "it seems" about it.  The documentation
is clear.

> How can I ask Server to do authorization and when server sends the
> authorization attributes AVPs in the access-Accept message how to
> process those values? or PAM module will take care of this thing.?

  What you want is impossible to do with PAM.

> I am really not getting how to support this "management-privilege-level"
> feature using pam-radius-auth.

  What you want is impossible to do with PAM.

  Alan DeKok.



More information about the Freeradius-Users mailing list