Using PAM
FreeRADIUS supports the pluggable
authentication model, or PAM, but that
must be enabled at compile time. (A discussion of PAM is beyond the
scope of this book; however, an excellent introduction to PAM, with
answers to some frequently asked questions, is available at
http://www.kernel.org/pub/linux/libs/pam/FAQ.)
However, the current support for PAM is rather non-standard. In most
RADIUS distributions, to enable PAM in transactions, enter
User-Password = PAM in the
users file; this is not supported in FreeRADIUS.
You must instead use Auth-Type = Pam. For example,
here is a configuration stanza for a non-specific (that is to say,
default) user configured for PAM authentication, when he logs in from
a specific RADIUS client machine:
DEFAULT Auth-Type := Pam, NAS-IP-Address == 206.229.254.5
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 255.255.255.254,
Filter-Id = "20modun",
Framed-MTU = 1500,
Framed-Compression = Van-Jacobson-TCP-IPIn some configurations, you may have specific entries configured in the /etc/pam.d file. The following users file configuration stanza uses a unique “Pam-Auth = x” identifier to direct the RADIUS server to a specific pam.d entry. FreeRADIUS defaults this string to RADIUS:
DEFAULT Auth-Type := Pam, Pam-Auth == "hasselltech-radius", NAS-IP-Address == 127.0.0.1 Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Filter-Id = "15intonly", Framed-MTU = 1500, Framed-Compression = Van-Jacobson-TCP-IP ...