User Authorization Using 'PAM Authentication Module(pam_radius_auth.so)

[Alan DeKok]

On Dec 5, 2018, at 2:42 AM, Deepak Kumar Bhagat <Deepak.Bhagat at radisys.com> wrote:
> 
> I have a requirement to authenticate and authorize users for management access to the device using Radius Protocol.
> I'm using Linux PAM module (pam_radius_auth.so) for Radius client support and freeRADIUS as Radius server. 
> I have written sample PAM-enable application (check_user) to test the same. I could successfully test user authentication using my application. 

  That's good.

> As part of  user authorization, I'm sending 'Management-Privilege-Level (136)' RFC 5607 attribute in 'Access-Accept' and 
> Intend to use the same at the device to give different management access to the user. Different Management-Privilege-Level (MPL) levels are mapped as below.
> 
> MPL	Access Level
> 1	Root user (read, write, exec)
> 2	Read only user (read)
> 3	Deny access (null)
> 
> Is there a way to fetch/read/pass this attribute from pam_radius_auth.so to my PAM-enable application?? 

  Not in the current module.

> I checked pam_radius_auth.so source code, It seems it doesn't read any attribute from 'Access Accept' received from the server, 
> if that is the case then how can we enable 'PAM Authentication Module' to read the authorization attributes received in the response??

  Source code patches.

> Or, Can someone suggest how can we achieve user authorization using PAM Authentication module?? 
> One relevant reference form the mail list is https://www.redhat.com/archives/pam-list/2001-March/msg00056.html, but it seems the code changes are not included in the module.

  If you can update the patch for the current module, I can add it in.

  Alan DeKok.