-Like Auth-Type for authentication method selection freeradius also
-supports the Autz-Type to select between authorization methods. The only
-problem is that authorization is the first thing to be called when an
-authentication request is handled. As a result we first have to call the
-authorize section without checking for Autz-Type. After that we check for
-Autz-Type and if it exists we call the corresponding subsection in the
-authorize section. In other words the authorize section in radiusd.conf
-should look like this:
+Session-Type is used to select between groupings of
+modules in the session stanza using arbitrary attributes.
+It is functionally identical to Acct-Type, apart from
+the name of the attribute. This means that (unlike
+Autz-Type) the attribute must be set before the stanza
+is run. Changes to Session-Type during session will
+have no effect.
+This allows Simultaneous-Use checking behaviour to be very flexible.
-authorize{
- suffix
- preprocess
- # whatever other authorize modules here
- autztype Ldap{
- ldap
- }
- autztype SQL{
- sql
- }
- files
-}
-
-What happens is that the first time the authorize section is examined the
-suffix, preprocess and files modules are executed. If Autz-Type is set
-after that the server core checks for any matching autztype subsection.
-If one is found it is called. The users file should look something
-like this:
-
-DEFAULT Called-Station-Id == "123456789", Autz-Type := Ldap
-
-DEFAULT Realm == "other.company.com", Autz-Type := SQL
-
-Autz-Type could also be used to select between multiple instances of
-a module (ie sql or ldap) which have been configured differently. For
-example based on the user realm different ldap servers (belonging to
-different companies) could be queried. If Auth-Type was also set then we
-could do both Authentication and Authorization with the user databases
-belonging to other companies. In detail:
-
-radiusd.conf-----------------
-
-authenticate{
- authtype customer1{
- ldap1
- }
- authtype customer2{
- ldap2
- }
-}
-
-authorize{
- preprocess
- suffix
- autztype customer1{
- ldap1
- }
- autztype customer2{
- ldap2
- }
- files
-}
-
------------------------------
-
-users file-------------------
-
-DEFAULT Realm == "customer1", Autz-Type := customer1, Auth-Type := customer2
-
-DEFAULT Realm == "customer2", Autz-Type := customer2, Auth-Type := customer2
-
-----------------------------
-
-Apart from Autz-Type the server also supports the use of PostAuth-Type,Session-Type
-and Acct-Type for the corresponding sections. The corresponding section names in the
-radiusd.conf file are post-authtype,sestype and accttype.
-So for example:
-
-users file---
-
-DEFAULT Called-Station-Id == "236473", Session-Type := SQL
-
-radiusd.conf---
-
-session{
- radutmp
- sesstype SQL {
- sql
- }
-}