pam_radius_auth with Framed-IP-Address

António Silva asilva at wirelessmundi.com
Tue Mar 24 13:03:30 CET 2020 

Hi Alan,

I notice that the the attribute is present in the response message, could we do the same as for the attribute MANAGEMENT_PRIVILEGE_LEVEL and exported it as environment variable, this way libreswan could use it.

Do you think that is possible?

This is the code where is set it: 

diff --git a/src/pam_radius_auth.c b/src/pam_radius_auth.c
index ad7cda0..8571e3b 100644
--- a/src/pam_radius_auth.c
+++ b/src/pam_radius_auth.c
@@ -1411,6 +1411,24 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc,CONST c
                        }
                }
 
+               attribute_t *attr_fip;
+               if ((attr_fip = find_attribute(response, PW_FRAMED_ADDRESS))) {
+                       char frameip[100];
+                       struct in_addr ip_addr;
+
+                       ip_addr.s_addr = *(int*) attr_fip->data;
+
+                       sprintf(frameip, "Framed-IP-Address=%s", inet_ntoa(ip_addr));
+                       retval = pam_putenv(pamh, frameip);
+                       if(retval != PAM_SUCCESS) {
+                               _pam_log(LOG_ERR, "unable to set PAM environment variable : Framed-IP-Address");
+                       }
+                       else {
+                               _pam_log(LOG_DEBUG, "Set PAM environment variable : %s", frameip);
+                       }
+               }
+
+
        } else {
                retval = PAM_AUTH_ERR;  /* authentication failure */
        }


DO you thing that it should be an option to enable this behaviour? 




> On 6 Mar 2020, at 23:10, Alan DeKok <aland at deployingradius.com> wrote:
> 
> On Mar 6, 2020, at 11:50 AM, António Silva via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>>> 
>>>  The PAM framework doesn't assign or track IP addresses.  So I'm not sure what the goal is here.
>> 
>> is to use with libreswan to authenticate the user and set and static ip address to that user. Probably other services can use other reply attributes...
> 
>  That isn't what PAM does.
> 
>  PAM authenticates user names / passwords.  That's about it.  It doesn't do DHCP, or assign IP addresses to systems.
> 
>>>> Is it possible?
>>>  Modify the source code to pam_radius_auth.
>> sure, i'm looking into it.
> 
>  It's very likely impossible.
> 
>  Alan DeKok.
>

More information about the Freeradius-Users mailing list