Iliya Peregoudov wrote:
I have following configuration:
authenticate { Auth-Type CHAP { chap db_backend chap { ok = 1 } db_backend } }
That configuration is wrong. The purpose of the "authenticate" section is to do authentication. If you're doing DB lookups, then those lookups belong in the "authorize" section.
First chap module call should handle cases when Cleartext-Password already set (for example, by files module). If there is Cleartext-Password, chap module returns *ok* or *reject*, so authentication should stop on these return codes. If there is no Cleartext-Password, chap module returns *invalid*, so authentication should proceed further.
Why not do those checks in the "authorize" section? authorize { ... files if (notfound) { db_backend } ... }
In freeradius 1.1.x this configuration works fine. In freeradius 2.1.x it doesn't work.
It's not supposed to work.
What is the reason for the change? It changes requirements for module return codes. Moreover, return code handling was changed only in Auth-Type subsections, not in authenticate section. When module's authenticate hook is called module has no clue is it called from authenticate section or from Auth-Type subsection.
Exactly. The change allowed people to put better policies into the authenticate sub-sections. Alan DeKok.