When pam_radius receives Accept-Challenge request, it ask the user again and resend his request. Unfortunately NAS-Identifier (nas_id) and NAS-IP-Address (nas_ipaddr) attributes where ignored and not included in the second (and further) requests. The patch below fixes this issue. -- pjd@FreeBSD.org Index: pam_radius.c =================================================================== RCS file: /usr/repo/src/lib/libpam/modules/pam_radius/pam_radius.c,v retrieving revision 1.23 diff -u -p -r1.23 pam_radius.c --- pam_radius.c 13 Jun 2005 21:18:52 -0000 1.23 +++ pam_radius.c 8 Jan 2007 23:30:37 -0000 @@ -67,7 +67,7 @@ static int build_access_request(struct size_t); static int do_accept(pam_handle_t *, struct rad_handle *); static int do_challenge(pam_handle_t *, struct rad_handle *, - const char *); + const char *, const char *, const char *); /* * Construct an access request, but don't send it. Returns 0 on success, @@ -162,7 +162,8 @@ do_accept(pam_handle_t *pamh, struct rad } static int -do_challenge(pam_handle_t *pamh, struct rad_handle *radh, const char *user) +do_challenge(pam_handle_t *pamh, struct rad_handle *radh, const char *user, + const char *nas_id, const char *nas_ipaddr) { int retval; int attrtype; @@ -229,8 +230,8 @@ do_challenge(pam_handle_t *pamh, struct if ((retval = conv->conv(num_msgs, msg_ptrs, &resp, conv->appdata_ptr)) != PAM_SUCCESS) return (retval); - if (build_access_request(radh, user, resp[num_msgs-1].resp, NULL, - NULL, state, statelen) == -1) + if (build_access_request(radh, user, resp[num_msgs-1].resp, nas_id, + nas_ipaddr, state, statelen) == -1) return (PAM_SERVICE_ERR); memset(resp[num_msgs-1].resp, 0, strlen(resp[num_msgs-1].resp)); free(resp[num_msgs-1].resp); @@ -329,7 +330,8 @@ pam_sm_authenticate(pam_handle_t *pamh, return (PAM_AUTH_ERR); case RAD_ACCESS_CHALLENGE: - retval = do_challenge(pamh, radh, user); + retval = do_challenge(pamh, radh, user, nas_id, + nas_ipaddr); if (retval != PAM_SUCCESS) { rad_close(radh); return (retval);