wildcard/regex Auth-Type in authenticate section
Hi again, sorry if this is a trivial question, but I couldn't find a definitive answer and I need to clarify: My understanding is that modules set Auth-Type in the authorize section and the server looks in the authenticate section for a matching sub-section. Different instances of rlm_eap set Auth-Type to their xlat name. The question is: Other than adding an Auth-Type subsection for every such variation, is it possible to match them e.g. in a regex comparison? As far as I can tell, I can only use unlang within Auth-Type subsections and not directly in the authenticate section. Thanks, Z.
Zenon Mousmoulas wrote:
My understanding is that modules set Auth-Type in the authorize section and the server looks in the authenticate section for a matching sub-section. Different instances of rlm_eap set Auth-Type to their xlat name.
The "instance" name.
The question is: Other than adding an Auth-Type subsection for every such variation, is it possible to match them e.g. in a regex comparison? As far as I can tell, I can only use unlang within Auth-Type subsections and not directly in the authenticate section.
There's no way to do a regex match like that. I don't see why you would want to, though. The EAP module does nothing in the "authorize" section. It does all of its work in the "authenticate" section. So configuring multiple EAP modules and then forcing them to use one instance for "authenticate" makes no sense. Just configure one EAP module instead. Alan DeKok.
On 2014-07-19 23:09, Alan DeKok wrote:
Zenon Mousmoulas wrote:
My understanding is that modules set Auth-Type in the authorize section and the server looks in the authenticate section for a matching sub-section. Different instances of rlm_eap set Auth-Type to their xlat name.
The "instance" name.
Right. I suppose it makes sense for rlm_eap to set Auth-Type to the instance name, while other modules don't do that, for example rlm_ldap (in 2.x)?
The question is: Other than adding an Auth-Type subsection for every such variation, is it possible to match them e.g. in a regex comparison? As far as I can tell, I can only use unlang within Auth-Type subsections and not directly in the authenticate section.
There's no way to do a regex match like that.
I don't see why you would want to, though. The EAP module does nothing in the "authorize" section. It does all of its work in the "authenticate" section. So configuring multiple EAP modules and then forcing them to use one instance for "authenticate" makes no sense. Just configure one EAP module instead.
I don't want to use one instance for authenticate, but rather just use one section to match the Auth-Type and call the actual instance by other means. For example: policy { eap_virtual { switch "%{EAP-VHost-ID}" { case abc { eap_abc } case def { eap_def } [...] } } } authenticate { if (Auth-Type =~ /^eap_[a-z]+$/) { eap_virtual } } This is obviously less efficient but would allow for more compact configuration. Thanks, Z.
Zenon Mousmoulas wrote:
Right. I suppose it makes sense for rlm_eap to set Auth-Type to the instance name, while other modules don't do that, for example rlm_ldap (in 2.x)?
All of the other modules which authenticate users do this.
I don't want to use one instance for authenticate, but rather just use one section to match the Auth-Type and call the actual instance by other means. For example: ... This is obviously less efficient but would allow for more compact configuration.
I don't see why. It's not only inefficient, it's confusing. This is really not a recommended practice. Alan DeKok.
On 2014-07-20 17:10, Alan DeKok wrote:
Zenon Mousmoulas wrote:
Right. I suppose it makes sense for rlm_eap to set Auth-Type to the instance name, while other modules don't do that, for example rlm_ldap (in 2.x)?
All of the other modules which authenticate users do this.
Apparently rlm_pap and rlm_mschap don't do this. Can you say more specifically what other modules do this?
I don't want to use one instance for authenticate, but rather just use one section to match the Auth-Type and call the actual instance by other means. For example: ... This is obviously less efficient but would allow for more compact configuration.
I don't see why. It's not only inefficient, it's confusing.
This is really not a recommended practice.
And not really possible anyway, as I can only use unlang within Auth-Type subsections and not directly in the authenticate section. Right?
Zenon Mousmoulas wrote:
Apparently rlm_pap and rlm_mschap don't do this. Can you say more specifically what other modules do this?
Can you say why you care? Does it matter? Or are you just nit-picking? If you have the skills to look at rlm_pap && rlm_mschap, you have the skills to find which other modules set Auth-Type as I said.
And not really possible anyway, as I can only use unlang within Auth-Type subsections and not directly in the authenticate section. Right?
This is documented. Alan DeKok.
On 2014-07-21 15:27, Alan DeKok wrote:
Zenon Mousmoulas wrote:
Apparently rlm_pap and rlm_mschap don't do this. Can you say more specifically what other modules do this?
Can you say why you care? Does it matter? Or are you just nit-picking?
It mattered because I was trying to understand the difference between rlm_eap and rlm_ldap in this context. Perhaps the last question was not in the right direction, but your answer didn't help either :) So, to answer my own question:
Right. I suppose it makes sense for rlm_eap to set Auth-Type to the instance name, while other modules don't do that, for example rlm_ldap (in 2.x)?
rlm_ldap sets Auth-Type (not anymore in 3.x) if set_auth_type = yes (the default). This setting is overridden when a matching Auth-Type is not found, upon instantiation. It determines the Auth-Type (in order of preference: instance_name, LDAP) it will use when it is instantiated, depending on what Auth-Type is declared in the authenticate section. It is possible that a particular instance is instantiated in a virtual server that has Auth-Type ldap_inst and then processes a request in a different virtual server, which has Auth-Type LDAP. In such a case the module will try to set Auth-Type := ldap_inst and fail. On the other hand, rlm_eap always sets Auth-Type to the instance name. Perhaps related is the fact that it gets instantiated when the module is loaded (as opposed to when it is referenced in an authorize section), so there are no Auth-Type declarations to look at, even if it wanted to (like rlm_ldap).
And not really possible anyway, as I can only use unlang within Auth-Type subsections and not directly in the authenticate section. Right?
This is documented.
I didn't find a specific answer to that question, which is why I asked. Cheers, Z.
Zenon Mousmoulas wrote:
It mattered because I was trying to understand the difference between rlm_eap and rlm_ldap in this context. Perhaps the last question was not in the right direction, but your answer didn't help either :)
You question about PAP and MS-CHAP did *nothing* to help you understand the difference between LDAP and EAP. All it did was be annoying, and waste everyones time.
rlm_ldap sets Auth-Type (not anymore in 3.x) if set_auth_type = yes (the default). This setting is overridden when a matching Auth-Type is not found, upon instantiation. It determines the Auth-Type (in order of preference: instance_name, LDAP) it will use when it is instantiated, depending on what Auth-Type is declared in the authenticate section. It is possible that a particular instance is instantiated in a virtual server that has Auth-Type ldap_inst and then processes a request in a different virtual server, which has Auth-Type LDAP. In such a case the module will try to set Auth-Type := ldap_inst and fail.
Which is why set_auth_type was removed in v3.
On the other hand, rlm_eap always sets Auth-Type to the instance name. Perhaps related is the fact that it gets instantiated when the module is loaded (as opposed to when it is referenced in an authorize section), so there are no Auth-Type declarations to look at, even if it wanted to (like rlm_ldap).
Because it's stupid to list "eap" in the "authorize" section, and then *not* list it in the "authenticate" section. So always setting Auth-Type to the instance name is what you want the module to do. Alan DeKok.
participants (2)
-
Alan DeKok -
Zenon Mousmoulas