On 2014-07-19 23:09, Alan DeKok wrote:
Zenon Mousmoulas wrote:
My understanding is that modules set Auth-Type in the authorize section and the server looks in the authenticate section for a matching sub-section. Different instances of rlm_eap set Auth-Type to their xlat name.
The "instance" name.
Right. I suppose it makes sense for rlm_eap to set Auth-Type to the instance name, while other modules don't do that, for example rlm_ldap (in 2.x)?
The question is: Other than adding an Auth-Type subsection for every such variation, is it possible to match them e.g. in a regex comparison? As far as I can tell, I can only use unlang within Auth-Type subsections and not directly in the authenticate section.
There's no way to do a regex match like that.
I don't see why you would want to, though. The EAP module does nothing in the "authorize" section. It does all of its work in the "authenticate" section. So configuring multiple EAP modules and then forcing them to use one instance for "authenticate" makes no sense. Just configure one EAP module instead.
I don't want to use one instance for authenticate, but rather just use one section to match the Auth-Type and call the actual instance by other means. For example: policy { eap_virtual { switch "%{EAP-VHost-ID}" { case abc { eap_abc } case def { eap_def } [...] } } } authenticate { if (Auth-Type =~ /^eap_[a-z]+$/) { eap_virtual } } This is obviously less efficient but would allow for more compact configuration. Thanks, Z.