FreeRADIUS InkBridge

Using the Autz-Type attribute

This documentation is a work in progess. This page is taken from the version 3 documentation, and has not yet been updated for version 4.

The general approach of this page is correct, but you will have to update the syntax if you are using version 4.

Contact InkBridge Networks for more details.

Goal: To control which authorization modules are executed for an Access-Request

Time: 10-20 minutes

Files:

  • etc/raddb/sites-available/default

  • etc/raddb/users

This exercise is a follow-up to the previous one in Multiple Modules, and it uses the byname and bydate modules configured there.

Start off by deleting the old log files:

$ rm -f /var/log/radius/radacct/byname/*
$ rm -f !/var/log/radius/radacct/bydate/*

Edit the file, and add the following text at the top:

DEFAULT  Autz-Type := byname
         Fall-Through = 1

In the raddb/sites-available/default file, edit the authorize section entries for the byname and bydate modules to be as follows:

Autz-Type byname {
	byname
}

Autz-Type bydate {
	bydate
}

Start the server, and send it a test packet (e.g., bob.sh).

Use the debug messages from the server to verify that only one of the modules is called.

Look in the log directory, and verify the existence of the files and their contents, as follows:

$ ls /var/log/radius/radacct/byname/
$ more /var/log/radius/radacct/byname/bob

$ ls /var/log/radius/radacct/bydate/

Questions

  1. Why is it useful to not call certain modules for a request?

  2. Why is it useful to control which modules get called for a request?