allowing multiple Auth-Type in authorize file

[Niels Tomey]

Hi,



I’ve set up freeradius 3.0.17 quite some time ago to process ssh logins
based on LDAP/AD accounts (with group membership in post-auth) and this
works fine. I followed the guide on deployingradius.com (
http://deployingradius.com/documents/configuration/active_directory.html),
but haven’t implemented the mschap section as I didn’t need it at the time.



Now I am running into this need and I was trying to figure out why it
wasn’t working only to discover that I left the



DEFAULT     Auth-Type = ntlm_auth



Line in the mods-config/files/authorize file. As expected this breaks my
attempts to include mschap.



My problem is that this is the only non-commented line in the entire file,
so rather than just delete the line I need to enter some other information
here to prevent the



ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject



In the comments in the file it states that multiple DEFAULTs can be used
with Fall-Through so I tried this:



DEFAULT              Auth-Type = ntlm_auth

Fall-Through = Yes



DEFAULT              Auth-Type = mschap



But this doesn’t work. What is the best approach for this? I would like to
avoid having to name my users here since they are in ldap already and I
don’t know if a device will only authenticate using mschap or not (e.g. it
will be difficult to split this out in the clients.conf file).



My google skills are letting me down on this, some pointers in the right
direction would be very much appreciated.



Regards,



Niels