modules in authorize{} and authenticate{} sections

Alan DeKok aland at
Tue May 26 08:55:32 CEST 2009

bastardinho69 wrote:
> I have successfully set up FreeRADIUS server to use Active Directory to
> authenticate LAN users.
> My authorize{} and authenticate{} section configuration in radiusd.conf
> file looks like this:

  If you're using AD for authentication, those sections do *not* look
like that.

> authorize {
>        preprocess
>        eap
>        mschap
>    }
> authenticate {
>        Auth-Type MS-CHAP {
>        mschap
>        }
>    eap
>    }
> As u see, in both sections there is modules eap and mschap mentioned.
> Can anybody tell me why it is so?

  Because the server has multiple stages of processing a request.  See

> Or where to look for the answer? I
> have been checking the logs from running radius in debug mode but i
> cannot find the definite answer, for example, in conversation between
> radius server and supplicant, mschap in authorize section always returns
> noop, so my question is- why it is needed there if it always returns noop?

  It's not needed in the "authorize" section if you're only doing EAP.

  Alan DeKok.

More information about the Freeradius-Users mailing list