inside Auth-Type has different rules
Alan DeKok
aland at deployingradius.com
Fri Oct 1 16:02:44 CEST 2010
Iliya Peregoudov wrote:
> I have following configuration:
>
> authenticate {
> Auth-Type CHAP {
> chap
> db_backend
> chap {
> ok = 1
> }
> db_backend
> }
> }
That configuration is wrong. The purpose of the "authenticate"
section is to do authentication. If you're doing DB lookups, then those
lookups belong in the "authorize" section.
> First chap module call should handle cases when Cleartext-Password
> already set (for example, by files module). If there is
> Cleartext-Password, chap module returns *ok* or *reject*, so
> authentication should stop on these return codes. If there is no
> Cleartext-Password, chap module returns *invalid*, so authentication
> should proceed further.
Why not do those checks in the "authorize" section?
authorize {
...
files
if (notfound) {
db_backend
}
...
}
> In freeradius 1.1.x this configuration works fine.
> In freeradius 2.1.x it doesn't work.
It's not supposed to work.
> What is the reason for the change? It changes requirements for module
> return codes. Moreover, return code handling was changed only in
> Auth-Type subsections, not in authenticate section. When module's
> authenticate hook is called module has no clue is it called from
> authenticate section or from Auth-Type subsection.
Exactly.
The change allowed people to put better policies into the authenticate
sub-sections.
Alan DeKok.
More information about the Freeradius-Users
mailing list