From d7457268fcaa5626e512eb00a9aab36f4a617f28 Mon Sep 17 00:00:00 2001 From: zsdc Date: Tue, 26 Sep 2023 11:27:07 +0300 Subject: PAM: T5577: Optimized RADIUS PAM config - Added system `radius` group - Added `mandatory` and `optional` modes for RADIUS - Improved PAM config for RADIUS New modes: - `mandatory` - if RADIUS answered with `Access-Reject`, authentication must be stopped and access denied immediately. - `optional` (default) - if RADIUS answers with `Access-Reject`, authentication continues using the next module. In `mandatory` mode authentication will be stopped only if RADIUS clearly answered that access should be denied (no user in RADIUS database, wrong password, etc.). If RADIUS is not available or other errors happen, it will be skipped and authentication will continue with the next module, like in `optional` mode. --- .../include/radius-server-ipv4-ipv6.xml.i | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) (limited to 'interface-definitions') diff --git a/interface-definitions/include/radius-server-ipv4-ipv6.xml.i b/interface-definitions/include/radius-server-ipv4-ipv6.xml.i index 5b12bec62..6a432bac9 100644 --- a/interface-definitions/include/radius-server-ipv4-ipv6.xml.i +++ b/interface-definitions/include/radius-server-ipv4-ipv6.xml.i @@ -47,6 +47,26 @@ + + + Security mode for RADIUS authentication + + mandatory optional + + + mandatory + Deny access immediately if RADIUS answers with Access-Reject + + + optional + Pass to the next authentication method if RADIUS answers with Access-Reject + + + (mandatory|optional) + + + optional + -- cgit v1.2.3