See below... --- Alan DeKok <aland@deployingradius.com> wrote:
Phil Thompson <phil@yarwell.demon.co.uk> wrote:
no doubt, however it is interesting that many people come to a point where they make such a setting, don't you find.
At first, it appears to make sense to force MS-CHAP when you want to do MS-CHAP. Then, for some reason, everything else fails later.... and it's difficult to know why, because the server *is* doing what you told it to do. So you force it to do EAP, but then MS-CHAP breaks, and you're frustrated that it's so hard to configure.
If you could clarify why that is and fix it you wouldn't have to shout in mailing lists.
The reason for shouting it in mailing lists is that people *still* say it's a good thing to do, despite lots of documentation saying it's a bad idea, and near-daily messages on this list saying it's a bad idea.
And your solution is... more documentation? Sorry, that won't help. The people who need it the most won't read it.
I'm starting to think that removing Auth-Type from 2.0 is a good idea.
Is it feasible to disable access to setting it, unless it explicitly added or enabled in the FR configuration, much like the various auth modules themselves? Then, at least, a warning could appear in the "-X" output indicating "Manual AuthType access enabled" so to immediately identify someone has already tried breaking their server :) Laker
I have just verified it is not necessary by commenting it out, thanks.
See?
I think you're saying at
http://deployingradius.com/documents/configuration/auth_type.html
that a
default auth-type is not necessary and should not be set. Is that so ? In which case having
DEFAULT Auth-Type = System
in the users file in the FreeRADIUS tarball helps to get us off on the wrong foot :-)
Yes. That's been deleted in 2.0, and many of the modules updated, in order to make it even easier to get it to work.
I think it's high time for 2.0. I've been waiting for a few fixes for entirely too long now...
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com