7.1.7. Auth-Type Previous topic Parent topic Child topic Next topic

Auth-Type triggers special behaviour for authenticating the user. The possible values are:
  • Reject. Any access request will always be rejected. This is useful for temporarily disabling logins for a given user.
  • Accept. Forces acceptance, regardless of any following check items. Use with caution.
  • Reject:message. Same as for Reject, except that the message (which can be any string) will be sent back to the user in a Reply-Message (provided the enclosing Realm or Handler has RejectHasReason set). This may be useful for telling your user why their login has been rejected.
  • Ignore. Any access request will always be ignored (i.e. no reply will be sent back to the NAS). This is sometimes useful for triggering special behaviour in cascaded AuthBy clauses.
  • Anything else. Any other word specifies an Identifier in an AuthBy clause which will used to authenticate the user. The name is matched with the name specified in the Identifier parameter in an AuthBy clause. You can name any other type of AuthBy module, be it SQL, RADIUS, UNIX etc. Specifying Auth-Type for a user causes the authentication to be cascaded to another authentication module. You can cascade authentications like this to any arbitrary depth.
The Auth-Type check item is most useful when you want to have check items and/or reply items, but also want to authenticate with native Unix or NT passwords.
Checks all users using the authentication method that has the identifier System:
DEFAULT Auth-Type = System
If you want to temporarily disable logins for a single user:
username Auth-Type = Reject
This one rejects the user and tells them why:
username Auth-Type = "Reject:you did not pay your bill"
This will first authenticate with the Identifier System, and if they are also in the group "staticip", they will continue to be authenticated with the AuthBy clause that has the Identifier "statics":
DEFAULT Auth-Type=System, Group=staticip, Auth-Type=statics