1 files changed, 88 insertions, 0 deletions

diff --git a/doc/configuration/autz_type.rst b/doc/configuration/autz_type.rst
new file mode 100644
index 0000000..a91e4e5
--- /dev/null
+++ b/doc/configuration/autz_type.rst
@@ -0,0 +1,88 @@
+Autz-Type
+=========
+
+Like Auth-Type for authentication method selection freeradius also
+supports the Autz-Type to select between authorization methods.  The only
+problem is that authorization is the first thing to be called when an
+authentication request is handled.  As a result we first have to call the
+authorize section without checking for Autz-Type. After that we check for
+Autz-Type and if it exists we call the corresponding subsection in the
+authorize section.  In other words the authorize section in radiusd.conf
+should look like this::
+
+ authorize{
+         suffix
+         preprocess
+         # whatever other authorize modules here
+         Autz-Type Ldap{
+                 ldap
+         }
+         Autz-Type SQL{
+                 sql
+         }
+         files
+ }
+
+What happens is that the first time the authorize section is examined the
+suffix, preprocess and files modules are executed.  If Autz-Type is set
+after that the server core checks for any matching Autz-Type subsection.
+If one is found it is called.  The users file should look something
+like this::
+
+  DEFAULT        Called-Station-Id == "123456789", Autz-Type := Ldap
+
+  DEFAULT Realm == "other.example.com", Autz-Type := SQL
+
+Autz-Type could also be used to select between multiple instances of
+a module (ie sql or ldap) which have been configured differently.  For
+example based on the user realm different ldap servers (belonging to
+different companies) could be queried.  If Auth-Type was also set then we
+could do both Authentication and Authorization with the user databases
+belonging to other companies.  In detail:
+
+radiusd.conf::
+
+  authenticate{
+         Auth-Type customer1{
+                 ldap1
+         }
+         Auth-Type customer2{
+                 ldap2
+         }
+  }
+
+  authorize{
+         preprocess
+         suffix
+         Autz-Type customer1{
+                 ldap1
+         }
+         Autz-Type customer2{
+                 ldap2
+         }
+         files
+  }
+
+The users file::
+
+  DEFAULT Realm == "customer1", Autz-Type := customer1, Auth-Type := customer1
+
+  DEFAULT Realm == "customer2", Autz-Type := customer2, Auth-Type := customer2
+
+
+Apart from Autz-Type the server also supports the use of
+Acct-Type, Session-Type and Post-Auth-Type for the corresponding sections.
+The corresponding section names in the radiusd.conf file are the same.  So for example:
+
+users file::
+
+  DEFAULT Called-Station-Id == "236473", Session-Type := SQL
+
+radiusd.conf::
+
+ session {
+         radutmp
+         Session-Type SQL {
+                 sql
+         }
+ }