User Authorization Using 'PAM Authentication Module(

Alan DeKok aland at
Thu Dec 6 16:27:05 CET 2018

On Dec 5, 2018, at 2:42 AM, Deepak Kumar Bhagat <Deepak.Bhagat at> wrote:
> I have a requirement to authenticate and authorize users for management access to the device using Radius Protocol.
> I'm using Linux PAM module ( for Radius client support and freeRADIUS as Radius server. 
> I have written sample PAM-enable application (check_user) to test the same. I could successfully test user authentication using my application. 

  That's good.

> As part of  user authorization, I'm sending 'Management-Privilege-Level (136)' RFC 5607 attribute in 'Access-Accept' and 
> Intend to use the same at the device to give different management access to the user. Different Management-Privilege-Level (MPL) levels are mapped as below.
> MPL	Access Level
> 1	Root user (read, write, exec)
> 2	Read only user (read)
> 3	Deny access (null)
> Is there a way to fetch/read/pass this attribute from to my PAM-enable application?? 

  Not in the current module.

> I checked source code, It seems it doesn't read any attribute from 'Access Accept' received from the server, 
> if that is the case then how can we enable 'PAM Authentication Module' to read the authorization attributes received in the response??

  Source code patches.

> Or, Can someone suggest how can we achieve user authorization using PAM Authentication module?? 
> One relevant reference form the mail list is, but it seems the code changes are not included in the module.

  If you can update the patch for the current module, I can add it in.

  Alan DeKok.

More information about the Freeradius-Users mailing list