Separate pam modules for multiple clients

Alan DeKok aland at deployingradius.com
Fri Feb 9 22:22:55 CET 2018 

On Feb 9, 2018, at 4:13 PM, Jeff McCarty <freeradius at jeff.tagcomp.com> wrote:
> 
> I’m running FreeRadius 3.0.13 on RedHat EL 7 with IdM. IdM provides host-based access control by accepting or rejecting authentication via PAM. I’d like to set up two FreeRadius clients that authenticate users using two different PAM modules. It looks like the person in this thread was doing the same thing, but I can’t tell from the discussion how to set everything up: http://freeradius.1045715.n5.nabble.com/multiple-instances-of-pam-module-td5745379.html <http://freeradius.1045715.n5.nabble.com/multiple-instances-of-pam-module-td5745379.html>

  OK...

> I have changed the user and group to root in radiusd.conf because I’ve read that PAM won’t work with the radiusd user. I’ve added the following line to mods-config/files/authorize:
> 
> DEFAULT  Auth-Type := pam

  Which says to use the main "pam" module.  As the link above says, if you want to use different PAM modules, you need to use different names.

> I have multiple modules set up in my pam config file as below and have symlinked it to the mods-enabled folder:
> 
> pam {
>    pam_auth = radiusd
> }
> 
> pam pam-one {
>    pam_auth = radiusd-one
> }
> 
> pam pam-two {
>    pam_auth = radiusd-two
> }

  OK, that's good.

> I have created a file in sites-available and symlinked it to sites-enabled with the following contents:
> 
> server server-one {
>    authenticate {
>        pam-one
>    }
> }

  What is that supposed to be?

  You can't just delete *everything* in a virtual server, and expect it to work.  The "default" virtual server has multiple sections (authorize, etc.) and multiple modules (files, etc.) for a reason.

> And in my clients.conf file, I have:
> 
> client client-one {
>    ipaddr = 192.168.0.1
>    secret = secret-one
>    virtual_server = server-one
> }

  Which sends packets from that client through "server-one"

> With this configuration, no matter which client I use, it authenticates against the default radiusd PAM module. What am I missing?

  I doubt that very much.  If packets come from 192.168.0.1, they will get sent through the "server-one" virtual server, which will do *nothing useful*.

  I suspect that there are other things broken in the configuration.  Since you didn't post the debug output, it's impossible to know what's broken, or what it's doing.

  Alan DeKok.

More information about the Freeradius-Users mailing list