{
        #
        #  The chap module will set 'Auth-Type := CHAP' if we are
        #  handling a CHAP request and Auth-Type has not already been set
}        chap
{
        #
        #  If the users are logging in with an MS-CHAP-Challenge
        #  attribute for authentication, the mschap module will find
        #  the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP'
        #  to the request, which will cause the server to then use
        #  the mschap module for authentication.
}        mschap
{
        #
        #  Pull crypt'd passwords from /etc/passwd or /etc/shadow,
        #  using the system API's to get the password.  If you want
        #  to read /etc/passwd or /etc/shadow directly, see the
        #  passwd module, above.
        #
}#       unix
{
        #
        #  Look for IPASS style 'realm/', and if not found, look for
        #  '@realm', and decide whether or not to proxy, based on
        #  that.
}#       IPASS
{
        #
        #  If you are using multiple kinds of realms, you probably
        #  want to set "ignore_null = yes" for all of them.
        #  Otherwise, when the first style of realm doesn't match,
        #  the other styles won't be checked.
        #
        #  Note that proxying the inner tunnel authentication means
        #  that the user MAY use one identity in the outer session
        #  (e.g. "anonymous", and a different one here
        #  (e.g. "user@example.com").  The inner session will then be
        #  proxied elsewhere for authentication.  If you are not
        #  careful, this means that the user can cause you to forward
        #  the authentication to another RADIUS server, and have the
        #  accounting logs *not* sent to the other server.  This makes
        #  it difficult to bill people for their network activity.
        #
}        suffix
#       ntdomain
{
        #
        #  The "suffix" module takes care of stripping the domain
        #  (e.g. "@example.com") from the User-Name attribute, and the
        #  next few lines ensure that the request is not proxied.
        #
        #  If you want the inner tunnel request to be proxied, delete
        #  the next few lines.
        #

}        update control \{
               Proxy-To-Realm := LOCAL
        \}
{
        #
        #  This module takes care of EAP-MSCHAPv2 authentication.
        #
        #  It also sets the EAP-Type attribute in the request
        #  attribute list to the EAP type from the packet.
        #
        #  The example below uses module failover to avoid querying all
        #  of the following modules if the EAP module returns "ok".
        #  Therefore, your LDAP and/or SQL servers will not be queried
        #  for the many packets that go back and forth to set up TTLS
        #  or PEAP.  The load on those servers will therefore be reduced.
        #
}        eap \{
                ok = return
        \}
{
        #
        #  Read the 'users' file
}       files
{
        #
        #  Look in an SQL database.  The schema of the database
        #  is meant to mirror the "users" file.
        #
        #  See "Authorization Queries" in sql.conf
}#       -sql
        -ldap
        if ((ok || updated) && User-Password) \{
          update control \{
            Auth-Type := ldap
          \}
        \}
{
        #
        #  Enforce daily limits on time spent logged in.
}#       daily
        expiration
        logintime
{
 	#  If you are using /etc/smbpasswd, and are also doing
   	#  mschap authentication, then un-comment this line, and
  	#  enable the "smbpasswd" module.
}        smbpasswd
{
        #
        #  If no other module has claimed responsibility for
        #  authentication, then try to use PAP.  This allows the
        #  other modules listed above to add a "known good" password
        #  to the request, and to do nothing else.  The PAP module
        #  will then see that password, and use it to do PAP
        #  authentication.
        #
        #  This module should be listed last, so that the other modules
        #  get a chance to set Auth-Type for themselves.
        #
}        pap

