wildcard/regex Auth-Type in authenticate section

Zenon Mousmoulas zmousm at noc.grnet.gr
Sun Jul 20 08:34:24 CEST 2014

On 2014-07-19 23:09, Alan DeKok wrote:
> Zenon Mousmoulas wrote:
>> My understanding is that modules set Auth-Type in the authorize 
>> section
>> and the server looks in the authenticate section for a matching
>> sub-section. Different instances of rlm_eap set Auth-Type to their 
>> xlat
>> name.
>   The "instance" name.

Right. I suppose it makes sense for rlm_eap to set Auth-Type to the 
instance name, while other modules don't do that, for example rlm_ldap 
(in 2.x)?

>> The question is: Other than adding an Auth-Type subsection for
>> every such variation, is it possible to match them e.g. in a regex
>> comparison? As far as I can tell, I can only use unlang within 
>> Auth-Type
>> subsections and not directly in the authenticate section.
>   There's no way to do a regex match like that.
>   I don't see why you would want to, though.  The EAP module does
> nothing in the "authorize" section.  It does all of its work in the
> "authenticate" section.  So configuring multiple EAP modules and then
> forcing them to use one instance for "authenticate" makes no sense.
> Just configure one EAP module instead.

I don't want to use one instance for authenticate, but rather just use 
one section to match the Auth-Type and call the actual instance by other 
means. For example:

policy {
   eap_virtual {
     switch "%{EAP-VHost-ID}" {
       case abc {
       case def {

authenticate {
   if (Auth-Type =~ /^eap_[a-z]+$/) {

This is obviously less efficient but would allow for more compact 


More information about the Freeradius-Users mailing list