Auth-Type discussion
Alan DeKok
aland at deployingradius.com
Sat Aug 5 17:22:13 CEST 2006
Phil Thompson <phil at yarwell.demon.co.uk> wrote:
> no doubt, however it is interesting that many people come to a point
> where they make such a setting, don't you find.
At first, it appears to make sense to force MS-CHAP when you want to
do MS-CHAP. Then, for some reason, everything else fails
later.... and it's difficult to know why, because the server *is*
doing what you told it to do. So you force it to do EAP, but then
MS-CHAP breaks, and you're frustrated that it's so hard to configure.
> If you could clarify why that is and fix it you wouldn't have to
> shout in mailing lists.
The reason for shouting it in mailing lists is that people *still*
say it's a good thing to do, despite lots of documentation saying it's
a bad idea, and near-daily messages on this list saying it's a bad
idea.
And your solution is... more documentation? Sorry, that won't help.
The people who need it the most won't read it.
I'm starting to think that removing Auth-Type from 2.0 is a good
idea.
> I have just verified it is not necessary by commenting it out, thanks.
See?
> I think you're saying at
> http://deployingradius.com/documents/configuration/auth_type.html that a
> default auth-type is not necessary and should not be set. Is that so ?
> In which case having
>
> DEFAULT Auth-Type = System
>
> in the users file in the FreeRADIUS tarball helps to get us off on the
> wrong foot :-)
Yes. That's been deleted in 2.0, and many of the modules updated,
in order to make it even easier to get it to work.
I think it's high time for 2.0. I've been waiting for a few fixes
for entirely too long now...
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
More information about the Freeradius-Users
mailing list