Using freeradius integrated with Active Directory toautenticatecisco passwords

Alan DeKok aland at
Sat Feb 9 19:35:42 CET 2008

Jeffrey Hutzelman wrote:
> It can't, really.  But what it could do is what rlm_pap does, which is
> to assume that if there's a password in the request and Auth-Type isn't
> set yet, you must want to use this module (actually, rlm_pap also
> requires there be a password or hash in the users database, but of
> course Kerberos doesn't need that and as you point out, there's no easy
> way to check the KDB).  With such a check, krb5 could be listed after
> pap in the default authorize configuration, and would pick up any PAP
> requests for which the users database does not contain password.

  That would work.

> Yes, I suppose with configuration like that you could avoid the code I
> describe above.  I do think there's some benefit to handling this in the
> module's authorize handler, if only so we can avoid telling people to
> set Auth-Type in the users database.

  Which is always good.

> What I'd really like to see is an easy way for the users database to
> specify which submodule gets to handle PAP requests.  I suppose that can
> be accomplished as in your example, by listing files last in the
> authorize section and set-if-unset Auth-Type in each user entry.

  Unfortunately, yes.  That's what the "Auth-Type" is for.

  In 2.0, this is easier to do with "unlang".

  Alan DeKok.

More information about the Freeradius-Users mailing list