Separate pam modules for multiple clients

Jeff McCarty freeradius at jeff.tagcomp.com
Fri Feb 9 22:13:07 CET 2018


I’m running FreeRadius 3.0.13 on RedHat EL 7 with IdM. IdM provides host-based access control by accepting or rejecting authentication via PAM. I’d like to set up two FreeRadius clients that authenticate users using two different PAM modules. It looks like the person in this thread was doing the same thing, but I can’t tell from the discussion how to set everything up: http://freeradius.1045715.n5.nabble.com/multiple-instances-of-pam-module-td5745379.html <http://freeradius.1045715.n5.nabble.com/multiple-instances-of-pam-module-td5745379.html>

I have changed the user and group to root in radiusd.conf because I’ve read that PAM won’t work with the radiusd user. I’ve added the following line to mods-config/files/authorize:

DEFAULT  Auth-Type := pam

 I have multiple modules set up in my pam config file as below and have symlinked it to the mods-enabled folder:

pam {
    pam_auth = radiusd
}

pam pam-one {
    pam_auth = radiusd-one
}

pam pam-two {
    pam_auth = radiusd-two
}

I have created a file in sites-available and symlinked it to sites-enabled with the following contents:

server server-one {
    authenticate {
        pam-one
    }
}

server server-two {
    authenticate {
        pam-two
    }
}

And in my clients.conf file, I have:

client client-one {
    ipaddr = 192.168.0.1
    secret = secret-one
    virtual_server = server-one
}

client client-two {
    ipaddr = 192.168.0.2
    secret = secret-two
    virtual_server = server-two
}

With this configuration, no matter which client I use, it authenticates against the default radiusd PAM module. What am I missing?


More information about the Freeradius-Users mailing list