"Gabriel L. Somlo" <somlo@cmu.edu> wrote:
I'm trying to understand the semantics of the radiusd.conf file. Specifically, when does a module (not) need to be mentioned in the authorize and authenticate sections of the config file ?
It's listed if you want it to be used.
Removing the eap from 'authorize' prevents the server from working correctly (works fine if you leave it in there). Why does eap have to be mentioned in 'authorize', if I only need it for authentication ?
The idea is to have the server "just figure it out". By listing EAP in the authorize section, the module will look for EAP in the packet, and set Auth-Type = EAP when necessary. The same goes for the CHAP and MS-CHAP modules, too. If you don't list "eap" in the "authorize" section, you'll have to set Auth-Type = EAP by hand, which will often be wrong. It's *much* easier to list it, and let the server figure it out. Alan DeKok.