User Authorization Using 'PAM Authentication Module(

Deepak Kumar Bhagat Deepak.Bhagat at
Wed Dec 5 08:42:05 CET 2018

Hi All,

I have a requirement to authenticate and authorize users for management access to the device using Radius Protocol.
I'm using Linux PAM module ( for Radius client support and freeRADIUS as Radius server. 
I have written sample PAM-enable application (check_user) to test the same. I could successfully test user authentication using my application. 

As part of  user authorization, I'm sending 'Management-Privilege-Level (136)' RFC 5607 attribute in 'Access-Accept' and 
Intend to use the same at the device to give different management access to the user. Different Management-Privilege-Level (MPL) levels are mapped as below.

MPL	Access Level
1	Root user (read, write, exec)
2	Read only user (read)
3	Deny access (null)

Is there a way to fetch/read/pass this attribute from to my PAM-enable application?? 
I checked source code, It seems it doesn't read any attribute from 'Access Accept' received from the server, 
if that is the case then how can we enable 'PAM Authentication Module' to read the authorization attributes received in the response??

Or, Can someone suggest how can we achieve user authorization using PAM Authentication module?? 
One relevant reference form the mail list is, but it seems the code changes are not included in the module.

Many Thanks,
Deepak Bhagat.

More information about the Freeradius-Users mailing list