#
# [WARNING]
# ====
-# Whatever you do, do NOT set 'Auth-Type := EAP'. The server is smart enough
+# Whatever you do, do NOT set 'Auth-Type := ::EAP'. The server is smart enough
# to figure this out on its own.
#
-# The most common side effect of setting 'Auth-Type := EAP' is that the users
+# The most common side effect of setting 'Auth-Type := ::EAP' is that the users
# then cannot use ANY other authentication method.
# ====
#
# ----
# ldap
# if ((ok || updated) && &User-Password) {
- # &control.Auth-Type := ldap
+ # &control.Auth-Type := ::ldap
# }
# ----
# ====
# Note that there is NO 'Fall-Through' attribute, so the user will not
# be given any additional resources.
#
-#lameuser Auth-Type := Reject
+#lameuser Auth-Type := ::Reject
# Reply-Message = "Your account has been disabled."
#
# Note that there is NO 'Fall-Through' attribute, so the user will not
# be given any additional resources.
#
-#DEFAULT Group == "disabled", Auth-Type := Reject
+#DEFAULT Group == "disabled", Auth-Type := ::Reject
# Reply-Message = "Your account has been disabled."
#
# the user.
#
if (!&State) {
- &control.Auth-Type := Step1
+ &control.Auth-Type := ::Step1
&control.Password.Cleartext := "hello"
}
else {
# Set the "known good" password to the number
# saved in the session-state list.
#
- &control.Auth-Type := Step2
+ &control.Auth-Type := ::Step2
&control.Password.Cleartext := &session-state.challenge-string
}
}
#
# Authorize - this is the only section required.
#
-# To accept the access request, set Auth-Type = Accept, otherwise
+# To accept the access request, set Auth-Type = ::Accept, otherwise
# set it to Reject.
recv Access-Request {
#
# By default, we just accept the request:
#
- &control.Auth-Type := Accept
+ &control.Auth-Type := ::Accept
#
# Check the client certificate matches a string, and reject otherwise
#
# if ("%{session-state.TLS-Client-Cert-Common-Name}" == 'client.example.com') {
-# &control.Auth-Type := Accept
+# &control.Auth-Type := ::Accept
# }
# else {
-# &control.Auth-Type := Reject
+# &control.Auth-Type := ::Reject
# &reply.Reply-Message := "Your certificate is not valid."
# }
# Check the client certificate common name against the supplied User-Name
#
# if (&User-Name == "host/%{session-state.TLS-Client-Cert-Common-Name}") {
-# &control.Auth-Type := Accept
+# &control.Auth-Type := ::Accept
# }
# else {
-# &control.Auth-Type := Reject
+# &control.Auth-Type := ::Reject
# }
#
# if (!(Ldap-Group == "Permitted-Laptops")) {
-# &control.Auth-Type := Reject
+# &control.Auth-Type := ::Reject
# }
# or, to be more specific, you could use the group's full DN:
# auth_log
#
- # The `chap` module will set `Auth-Type := CHAP` if the
+ # The `chap` module will set `Auth-Type := ::CHAP` if the
# packet contains a `CHAP-Challenge` attribute. The module
# does this only if the `Auth-Type` attribute has not already
# been set.
chap
#
- # The `mschap` module will set `Auth-Type := mschap` if the
+ # The `mschap` module will set `Auth-Type := ::mschap` if the
# packet contains an `MS-CHAP-Challenge` attribute. The
# module does this only if the `Auth-Type` attribute has not
# already been set.
expiration
#
- # The `pap` module will set `Auth-Type := PAP` if the
+ # The `pap` module will set `Auth-Type := ::PAP` if the
# packet contains a `User-Password` attribute. The module
# does this only if the `Auth-Type` attribute has not already
# been set.
# authentication method will work, but all of the others will not.
#
# The common reasons to set the `Auth-Type` attribute by hand are
-# to forcibly reject the user (`Auth-Type := Reject`), to or
-# forcibly accept the user (`Auth-Type := Accept`), or for
+# to forcibly reject the user (`Auth-Type := ::Reject`), to or
+# forcibly accept the user (`Auth-Type := ::Accept`), or for
# proxying.
#
-# Note that `Auth-Type := Accept` will NOT work with EAP. The EAP
+# Note that `Auth-Type := ::Accept` will NOT work with EAP. The EAP
# authentication protocol uses a series of handshake messages. All
# of the messages must be exchanged correctly in order for EAP
# authentication to succeed. Bypassing that process with `Auth-Type
filter_inner_identity
#
- # The chap module will set 'Auth-Type := CHAP' if we are
+ # The chap module will set 'Auth-Type := ::CHAP' if we are
# handling a CHAP request and Auth-Type has not already been set
chap
#
# If the users are logging in with an MS-CHAP-Challenge
# attribute for authentication, the mschap module will find
- # the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
+ # the MS-CHAP-Challenge attribute, and add 'Auth-Type := ::MS-CHAP'
# to the request, which will cause the server to then use
# the mschap module for authentication.
mschap
# This section lists which modules are available for authentication.
# Note that it does NOT mean 'try each module in order'. It means
# that a module from the 'authorize' section adds a configuration
-# attribute 'Auth-Type := FOO'. That authentication type is then
+# attribute 'Auth-Type := ::FOO'. That authentication type is then
# used to pick the appropriate module from the list below.
#
projects / thirdparty / freeradius-server.git / commitdiff
