Quoting Phil Mayers <[EMAIL PROTECTED]>: >> > 2) INNER Auth part ensures that the ldap module is only called for the >> > INNER part of the check...not for everything else. also very very useful >> > as it stops outer ID junk and debris from being checked. >> >> What IS 'the INNER part' (may depend on the answer on my first question >> above) as opposed to 'the outer'? In context I get the general idea, but >> the actual definition on INNER and OUTER? > > You're getting hung up on the specifics, which is probably my fault for > giving minimal info; Autz-Type is a general mechanism. Please see > doc/Autz-Type for more info.
I'm only slightly wiser from reading that... Shouldn't 'eap' and 'mschap' be in this Authz-Type to then? ----- s n i p ---- authorize { preprocess auth_log chap mschap digest IPASS suffix realmpercent ntdomain eap files Autz-Type INNER { ldap } } ----- s n i p ---- What I don't understand is why everything is done so many times! The 'authorize' section is done a whole bunch of times, just to authenticate ONE user [request]. If I have undestood the Authz-Type file correctly (which I'm quite sure I haven't), I'd put the whole 'authorize' section in a 'Authz-Type' section! But that can't be right... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html