wildcard/regex Auth-Type in authenticate section

Alan DeKok aland at deployingradius.com
Fri Jul 25 20:16:00 CEST 2014

Zenon Mousmoulas wrote:
> It mattered because I was trying to understand the difference between
> rlm_eap and rlm_ldap in this context. Perhaps the last question was not
> in the right direction, but your answer didn't help either :)

  You question about PAP and MS-CHAP did *nothing* to help you
understand the difference between LDAP and EAP.  All it did was be
annoying, and waste everyones time.

> rlm_ldap sets Auth-Type (not anymore in 3.x) if set_auth_type = yes (the
> default). This setting is overridden when a matching Auth-Type is not
> found, upon instantiation. It determines the Auth-Type (in order of
> preference: instance_name, LDAP) it will use when it is instantiated,
> depending on what Auth-Type is declared in the authenticate section.
> It is possible that a particular instance is instantiated in a virtual
> server that has Auth-Type ldap_inst and then processes a request in a
> different virtual server, which has Auth-Type LDAP. In such a case the
> module will try to set Auth-Type := ldap_inst and fail.

  Which is why set_auth_type was removed in v3.

> On the other hand, rlm_eap always sets Auth-Type to the instance name.
> Perhaps related is the fact that it gets instantiated when the module is
> loaded (as opposed to when it is referenced in an authorize section), so
> there are no Auth-Type declarations to look at, even if it wanted to
> (like rlm_ldap).

  Because it's stupid to list "eap" in the "authorize" section, and then
*not* list it in the "authenticate" section.  So always setting
Auth-Type to the instance name is what you want the module to do.

  Alan DeKok.

More information about the Freeradius-Users mailing list