Separate pam modules for multiple clients

[Jeff McCarty]

> On Feb 9, 2018, at 4:52 PM, Alan DeKok <aland at deployingradius.com> wrote:
> 
> On Feb 9, 2018, at 4:36 PM, Jeff McCarty <freeradius at jeff.tagcomp.com> wrote:
>>> Which says to use the main "pam" module.  As the link above says, if you want to use different PAM modules, you need to use different names.
>> 
>> I didn’t know where else I could put it.
> 
>  It's not about where *else*.  It's about a *different name*.
> 
>  If you want it to use the "pam-one" module, you can't set "Auth-Type = pam", because the name "pam" isn't the same as the name "pam-one".  You must set "Auth-Type = pam-one" to use the pam-one module.
> 
>> I misunderstood. I thought that the default server provided default settings and that I only needed to provide settings that I wanted to change in the definition of my virutal server.
> 
>  Nothing in the documentation or examples says that.
> 
>  Read raddb/sites-available/README.  There is extensive documentation on how virtual servers work.
> 
>> I realized that I had commented out the virtual server line in the clients.conf file and forgot that I had never re-enabled it, so it’s only been using the default server.
> 
>  Which means it's only ever using the default policies.  Which means the "pam" module.
> 
>  To be honest, the simplest thing to do is to edit raddb/sites-enabled/default .  Look for the "authorize" section, and add this:
> 
> 	if (Packet-Src-IP-Address == 192.168.0.1) {
> 		update control {
> 			Auth-Type := "pam-one"
> 		}
> 	}

OK, great! I was at a loss on where/how to change the Auth-Type for the different clients. This makes sense. Thank you! Everything is working as expected now.

> 
>  And then add similar ones for pam-two, etc.
> 
>  Then, make sure you list "pam-one", etc. in the "authenticate" section of that same file.
> 
>  Alan DeKok.
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html