Using freeradius integrated with Active Directory toautenticatecisco passwords
Alan DeKok
aland at deployingradius.com
Sat Feb 9 19:35:42 CET 2008
Jeffrey Hutzelman wrote:
> It can't, really. But what it could do is what rlm_pap does, which is
> to assume that if there's a password in the request and Auth-Type isn't
> set yet, you must want to use this module (actually, rlm_pap also
> requires there be a password or hash in the users database, but of
> course Kerberos doesn't need that and as you point out, there's no easy
> way to check the KDB). With such a check, krb5 could be listed after
> pap in the default authorize configuration, and would pick up any PAP
> requests for which the users database does not contain password.
That would work.
> Yes, I suppose with configuration like that you could avoid the code I
> describe above. I do think there's some benefit to handling this in the
> module's authorize handler, if only so we can avoid telling people to
> set Auth-Type in the users database.
Which is always good.
> What I'd really like to see is an easy way for the users database to
> specify which submodule gets to handle PAP requests. I suppose that can
> be accomplished as in your example, by listing files last in the
> authorize section and set-if-unset Auth-Type in each user entry.
Unfortunately, yes. That's what the "Auth-Type" is for.
In 2.0, this is easier to do with "unlang".
Alan DeKok.
More information about the Freeradius-Users
mailing list