freeradius-server icon indicating copy to clipboard operation
freeradius-server copied to clipboard

Published 20 hours ago verified publisher icon FreeRADIUS

[feature]: pam_radius_auth supporting realms

Open jhaar opened this issue 3 years ago • 3 comments

What type of defect/bug is this?

Unexpected behaviour (obvious or verified by project member)

How can the issue be reproduced?

I was trying to use pam_radius_auth to protect sudo with MFA - where MFA was provided by our enterprise Okta RADIUS server. However that uses "[email protected]" - whereas our Unix systems use "username". So pam_radius_auth was creating RADIUS authentication requests with "username/password" instead of "[email protected]/password" and didn't work. If I made an Unix account named "[email protected]" then pam_radius_auth worked just fine.

I think adding a new option of "[email protected]" which would append itself to the username would help a lot. A lot of enterprises are doing SSO these days so this would enable stronger authentication options to be added to Unix accounts

Log output from the FreeRADIUS daemon

not a bug

Relevant log output from client utilities

No response

Backtrace from LLDB or GDB

No response

jhaar avatar Jul 29 '22 01:07 jhaar

The pam_radius_auth module sends the name / password as entered by the user. Any functional RADIUS server can add / delete / change realms when it receives the Access-Request.

It's not clear to me why this configuration would be required on the local machine. It's much better to centralize this on the RADIUS server.

alandekok avatar Jul 29 '22 02:07 alandekok

Enterprises tend to have many realms. So having the "client" tell the RADUIS server the fully qualified username makes more sense (as the admin of that system knows what their user audience is) rather than relying on (typically) CorpIS to micro-manage per-host mappings

jhaar avatar Jul 29 '22 02:07 jhaar

You're free to send a patch which implements this feature.

Or, if it's needed for an enterprise, perhaps they have budget to help sponsor this.

Until then, if no one is willing to work for free, then no progress will be made.

alandekok avatar Jul 29 '22 10:07 alandekok

This is not something we are likely to look at without sponsorship, and the issue isn't related to the FreeRADIUS server anyway.

mcnewton avatar Sep 27 '22 10:09 mcnewton

Hi @jhaar

please, suggest your company contact [email protected] requesting a quote about that feature.

jpereira avatar Sep 27 '22 11:09 jpereira