[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: pam_radius_auth query
From:       Alan DeKok <aland () deployingradius ! com>
Date:       2011-02-26 7:50:53
Message-ID: 4D68B0DD.4080501 () deployingradius ! com
[Download RAW message or body]

vijay s sheelavantar wrote:
> Marc and Alan Thanx for the reply .

  (1) Don't reply to digest emails.  It breaks the threading

  (2) edit your posts.  Including hundreds of lines of irrelevant text
is annoying.

> What I exactly mean by authorization is Management-Privilege-Level which
> is defined in RFC 5607, 

  Which was published many, many, years after the last release of the
PAM RADIUS module.

  And why couldn't you say that in the first message?

> If a user belongs to certain group and have the previlege level
> (security admin or administrator) then only he can execute certain
> commands on the NE.
> right now PAM module is doing this in my NE. I want it to be done by
> Radius server.

  This isn't how PAM works.  Individual commands are not seen by the PAM
module.

> Now pam_radius_auth module sends "authentication only" in request
> message so, the server is not doing authorization it seems.

  The documentation says what it does.  The documentation doesn't say it
does authorization.  There is no "it seems" about it.  The documentation
is clear.

> How can I ask Server to do authorization and when server sends the
> authorization attributes AVPs in the access-Accept message how to
> process those values? or PAM module will take care of this thing.?

  What you want is impossible to do with PAM.

> I am really not getting how to support this "management-privilege-level"
> feature using pam-radius-auth.

  What you want is impossible to do with PAM.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]