Greetings,

I have a best practices question. I am currently building a freeradius+LVS cluster to replace an existing radius server. In the process I am trying to do things as solidly as possible. Part of this process is tidying up the users file. In the process I noticed a rule that made me a little squishy.

The purpose of the rule is to handle incoming requests from a cisco pix for VPN authentication. It is supposed to validate it using ntlm_auth. There are two ntlm_auth definitions in the radiusd.conf. One handles MS-CHAP and one is for ntlm_auth_plaintext.
I tested this rule with radtest (Making the necessary modifications  and it worked fine.

DEFAULT Huntgroup-Name = "vpn-pix",Ldap-Group = "CN=somevpn...", Auth-Type := ntlm_auth_plaintext
DEFAULT Huntgroup-Name = "vpn-pix",Ldap-Group != "CN=somevpn...", Auth-Type := Reject

Is it a good idea to force the auth-type in the users file? is there a cleaner way to do this? 

While rewriting the rules file I am pairing accept and denies as above. Is that necessary or will it turn out to be horribly inefficient?