Using PAM
FreeRADIUS supports the pluggable
authentication model, or PAM, but that
must be enabled at compile time. (A discussion of PAM is beyond the
scope of this book; however, an excellent introduction to PAM, with
answers to some frequently asked questions, is available at
http://www.kernel.org/pub/linux/libs/pam/FAQ.)
However, the current support for PAM is rather non-standard. In most
RADIUS distributions, to enable PAM in transactions, enter
User-Password = PAM in the
users file; this is not supported in FreeRADIUS.
You must instead use Auth-Type = Pam. For example,
here is a configuration stanza for a non-specific (that is to say,
default) user configured for PAM authentication, when he logs in from
a specific RADIUS client machine:
DEFAULT Auth-Type := Pam, NAS-IP-Address == 206.229.254.5
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 255.255.255.254,
Filter-Id = "20modun",
Framed-MTU = 1500,
Framed-Compression = Van-Jacobson-TCP-IPIn some configurations, you may have specific entries configured in the /etc/pam.d file. The following users file configuration stanza uses a unique “Pam-Auth = x” identifier to direct the RADIUS server to a specific pam.d entry. FreeRADIUS defaults this string to RADIUS:
DEFAULT Auth-Type := Pam, Pam-Auth == "hasselltech-radius", NAS-IP-Address == 127.0.0.1 Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Filter-Id = "15intonly", Framed-MTU = 1500, Framed-Compression = Van-Jacobson-TCP-IP ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access