User Authorization Using 'PAM Authentication Module(pam_radius_auth.so)
aland at deployingradius.com
Thu Dec 6 16:27:05 CET 2018
On Dec 5, 2018, at 2:42 AM, Deepak Kumar Bhagat <Deepak.Bhagat at radisys.com> wrote:
> I have a requirement to authenticate and authorize users for management access to the device using Radius Protocol.
> I'm using Linux PAM module (pam_radius_auth.so) for Radius client support and freeRADIUS as Radius server.
> I have written sample PAM-enable application (check_user) to test the same. I could successfully test user authentication using my application.
> As part of user authorization, I'm sending 'Management-Privilege-Level (136)' RFC 5607 attribute in 'Access-Accept' and
> Intend to use the same at the device to give different management access to the user. Different Management-Privilege-Level (MPL) levels are mapped as below.
> MPL Access Level
> 1 Root user (read, write, exec)
> 2 Read only user (read)
> 3 Deny access (null)
> Is there a way to fetch/read/pass this attribute from pam_radius_auth.so to my PAM-enable application??
Not in the current module.
> I checked pam_radius_auth.so source code, It seems it doesn't read any attribute from 'Access Accept' received from the server,
> if that is the case then how can we enable 'PAM Authentication Module' to read the authorization attributes received in the response??
Source code patches.
> Or, Can someone suggest how can we achieve user authorization using PAM Authentication module??
> One relevant reference form the mail list is https://www.redhat.com/archives/pam-list/2001-March/msg00056.html, but it seems the code changes are not included in the module.
If you can update the patch for the current module, I can add it in.
More information about the Freeradius-Users