John Dennis wrote: > Why does rlm_krb5 have behavior seemingly at > odds with the other types of modules in it's family (e.g. those which > can authenticate given a cleartext password).
*some* authentication modules can be listed in "authorize": * chap * mschap * eap This is because the *type* of authentication shows up in the packet: * CHAP-Password * MSCHAP-Challenge / Response * EAP-Message There is no corresponding attribute for Kerberos. There is no corresponding attribute for LDAP. On top of that, Kerberos, LDAP, etc. usually work *only* for User-Password. And there many, many such modules. "Automatically" choosing one is hard. If you can edit *anything* to require a particular authentication back-end, you might as well do it by setting Auth-Type. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html