I've been trying to set up FR in a realm-based configuration using only LOCAL realms that are passed to different MySQL tables via different instances. This setup, like several previous questions posted to this list for similar setups, requires conditional branching. The solution as suggested in those posts was to use an Autz-Type block within the authorize block, and an Auth-Type block within the authenticate block to use appropriate module instances for the given realm. The problem I am having is that no matter what I set Autz-Type to, or where I set it, FR doesn't seem to honor it. I've tried putting it in hints entries, user entries, and realm entries; all suggestions that had been posted in response to similar issues. Another problem that compounds this one is that different posters refer to Autz-Type differently: autztype, AutzType, & Autz-Type. Is the difference significant, or is this one of those cases where they ALL are valid, but do exactly the same thing?
I would have thought there would be some way to use the Realm variable that the rlm_realm strips from the User-Name attribute directly within the Authorize & Authenticate blocks, but it appears the most straight-forward way of using a block like 'realm bogus {}' causes FR to confuse the block for another module instance definition. Any insights anyone may have on this would be appreciated. Following are the relevant configuration & output segments: radiusd.conf, authorize block: Autz-Type SQL-BOGUS { sql-bogus } radiusd.conf, authenticate block: Auth-Type SQL-BOGUS { sql-bogus } hints: DEFAULT Prefix == "BOGUS\", Strip-User-Name = Yes Hint = "MIE Login", Service-Type = Framed-User, Autz-Type := SQL-BOGUS, Auth-Type := SQL-BOGUS users: DEFAULT Realm == "bogus", Autz-Type := SQL-BOGUS mysql bogus realms' radcheck table: +----+----------+---------------+----+----------+ | id | UserName | Attribute | op | Value | +----+----------+---------------+----+----------+ | 6 | user | User-Password | == | password | | 7 | user | Auth-Type | := | Local | +----+----------+---------------+----+----------+ radiusd -X -A (snippet 1, module instantiation): rlm_sql (sql-bogus): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql-bogus): Attempting to connect to [EMAIL PROTECTED]:/radius rlm_sql (sql-bogus): starting 0 rlm_sql (sql-bogus): Attempting to connect rlm_sql_mysql #0 rlm_sql (sql-bogus): Connected new DB handle, #0 rlm_sql (sql-bogus): starting 1 rlm_sql (sql-bogus): Attempting to connect rlm_sql_mysql #1 rlm_sql (sql-bogus): Connected new DB handle, #1 rlm_sql (sql-bogus): starting 2 rlm_sql (sql-bogus): Attempting to connect rlm_sql_mysql #2 rlm_sql (sql-bogus): Connected new DB handle, #2 rlm_sql (sql-bogus): starting 3 rlm_sql (sql-bogus): Attempting to connect rlm_sql_mysql #3 rlm_sql (sql-bogus): Connected new DB handle, #3 rlm_sql (sql-bogus): starting 4 rlm_sql (sql-bogus): Attempting to connect rlm_sql_mysql #4 rlm_sql (sql-bogus): Connected new DB handle, #4 Module: Instantiated sql (sql-bogus) radiusd -X -A (snippet 2, module *NOT* getting used): modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_realm: Looking up realm "bogus" for User-Name = "bogus\user" rlm_realm: Found realm "bogus" rlm_realm: Adding Stripped-User-Name = "user" rlm_realm: Proxying request from user user to realm bogus rlm_realm: Adding Realm = "bogus" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "ntdomain" returns noop for request 0 rlm_eap: EAP packet type response id 0 length 15 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 modcall: leaving group authorize (returns updated) for request 0 NOTE: My module order, and the fact that radius found the "bogus" realm means that there should be SQL auth lines appearing immediately after the "mschap returns noop" line. They don't show up, which means FR either wasn't seeing Autz-Type at that point, or some other module changed it. Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html