Hello all, I have a configuration where I allow users to get onto the wireless network by authenticating with EAP-TLS or with EAP-GTC inside of EAP-TTLS. If they have a cert, then they authenticate with EAP-TLS, and if they have a password, then they authenticate with EAP-TTLS/EAP-GTC which in turn authenticates against Kerberos. In addition, there are some admins who need to log into the access point's command shell. I would like these to be authenticated against the same Kerberos server, but everyone else should get rejected. As it turns out, I have a configuration that accomplishes all of this *perfectly*. In radiusd.conf, I have: modules { ... krb5 { } ... } ... authenticate { ... Auth-Type Kerberos { krb5 } ... } Then, in the users file, I have: "admin1" NAS-Port-Type == "Virtual", Auth-Type = Kerberos "admin2" NAS-Port-Type == "Virtual", Auth-Type = Kerberos ... DEFAULT NAS-Port-Type == "Virtual", Auth-Type := Reject # This authenticates wireless users DEFAULT NAS-Port-Type == "Wireless-802.11", Auth-Type = Kerberos I should stress, this accomplishes *exactly* what I want. That said, it also involves explicit setting of Auth-Type. I have seen in more than one place that this is a Bad Thing(TM). My first question is how do I accomplish what the above configuration does without this explicit Auth-Type setting? (Or is the above configuration marginally acceptable because it only sets Auth-Type when it isn't already set?) Should I only be defining one authentication module that involves User-PAssword? More generally, suppose that you have two different authentication modules, say unix and krb5, that use User-Password. How does FreeRADIUS tell which users are supposed to use unix and which are supposed to use krb5? (Assuming that you want some to use one, and some to use the other.) That is, how does RADIUS know what the "right thing" is in that case with being told explicitly? Thanks in advance. P.S. Before anyone says anything, I have read the documentation. More than once. It could very easily be that I have missed something totally obvious though. -- John Guthrie guthrie@counterexample.org