6.1 Using PAM

FreeRADIUS supports the pluggable authentication model, or PAM, but that must be enabled at compile time. (A discussion of PAM is beyond the scope of this book; however, an excellent introduction to PAM, with answers to some frequently asked questions, is available at http://www.kernel.org/pub/linux/libs/pam/FAQ.) However, the current support for PAM is rather non-standard. In most RADIUS distributions, to enable PAM in transactions, enter User -Password = PAM in the users file; this is not supported in FreeRADIUS. You must instead use Auth-Type = Pam . For example, here is a configuration stanza for a non-specific (that is to say, default) user configured for PAM authentication, when he logs in from a specific RADIUS client machine:

 DEFAULT Auth-Type := Pam, NAS-IP-Address == 206.229.254.5     Service-Type = Framed-User,     Framed-Protocol = PPP,     Framed-IP-Address = 255.255.255.254,     Filter-Id = "20modun",     Framed-MTU = 1500,     Framed-Compression = Van-Jacobson-TCP-IP 

In some configurations, you may have specific entries configured in the /etc/pam.d file. The following users file configuration stanza uses a unique "Pam-Auth = x" identifier to direct the RADIUS server to a specific pam.d entry. FreeRADIUS defaults this string to RADIUS:

 DEFAULT Auth-Type := Pam, Pam-Auth == "hasselltech-radius", NAS-IP-Address == 127.0.0.1     Service-Type = Framed-User,     Framed-Protocol = PPP,     Framed-IP-Address = 255.255.255.254,     Filter-Id = "15intonly",     Framed-MTU = 1500,     Framed-Compression = Van-Jacobson-TCP-IP 

Ensure that your compiler's settings are configured to enable PAM support when you first begin your FreeRADIUS installation.

Open your radiusd.conf file and scroll to the modules section. Enable PAM functionality by examining the pam section inside the modules divider. The value for the pam_auth string corresponds with a file in the /etc/pam.d directory on your system. Enter a name here, and make a note of it, as shown in this example:

 pam {                 #                 #  The name to use for PAM authentication.                 #  PAM looks in /etc/pam.d/${pam_auth_name}                 #  for its configuration.  See 'redhat/radiusd-pam'                 #  for a sample PAM configuration file.                 #                 #  Note that any Pam-Auth attribute set in the 'users'                 #  file overrides this one.                 #                 pam_auth = radiusd } 

In the same file, scroll down to the authentication section and make sure the pam line is not commented out:

 authenticate {        pam         unix #       ldap #       mschap #       eap } 

Now, navigate to the /etc/pam.d directory on your system and create a file with the same name you specified in the pam section inside radiusd.conf . (In the previous example, I used radiusd .) Insert the following lines into this new file:

 #%PAM-1.0 auth       required     /lib/security/pam_unix_auth.so shadow md5 nullok auth       required     /lib/security/pam_nologin.so account    required     /lib/security/pam_unix_acct.so password   required     /lib/security/pam_cracklib.so password   required     /lib/security/pam_unix_passwd.so shadow md5 nullok use_authtok session    required     /lib/security/pam_unix_session.so 

You may wish to change some of these settings to suit your specific configuration, but those default strings will work for most any implementation. Next, make sure that the group under which the radiusd process is running can read the /etc/shadow file. Unless you're running as root, PAM won't be able to read the file otherwise and will subsequently malfunction. You also need to specify the user and group with read permissions to /etc/shadow in the radiusd.conf file.