Re: Freeradius-Users Digest, Vol 16, Issue 18
Subject: Re: Password Problem From: "Alan DeKok" <aland@deployingradius.com> Date: Fri, 04 Aug 2006 13:04:15 -0400
PhilT <phil@yarwell.demon.co.uk> wrote:
1. In the MySQL database do you have the Attribute set to Password and not something else, for example "11 usernamehere PASSWORD == passwordhere" 2. In Freeradius users file DEFAULT Auth-Type := Local
NO. Do NOT SET THAT. It's NOT NECESSARY.
That point has been repeated again and again on this list.
no doubt, however it is interesting that many people come to a point where they make such a setting, don't you find. If you could clarify why that is and fix it you wouldn't have to shout in mailing lists. I have just verified it is not necessary by commenting it out, thanks. I think you're saying at http://deployingradius.com/documents/configuration/auth_type.html that a default auth-type is not necessary and should not be set. Is that so ? In which case having DEFAULT Auth-Type = System in the users file in the FreeRADIUS tarball helps to get us off on the wrong foot :-) Phil
Phil Thompson <phil@yarwell.demon.co.uk> wrote:
no doubt, however it is interesting that many people come to a point where they make such a setting, don't you find.
At first, it appears to make sense to force MS-CHAP when you want to do MS-CHAP. Then, for some reason, everything else fails later.... and it's difficult to know why, because the server *is* doing what you told it to do. So you force it to do EAP, but then MS-CHAP breaks, and you're frustrated that it's so hard to configure.
If you could clarify why that is and fix it you wouldn't have to shout in mailing lists.
The reason for shouting it in mailing lists is that people *still* say it's a good thing to do, despite lots of documentation saying it's a bad idea, and near-daily messages on this list saying it's a bad idea. And your solution is... more documentation? Sorry, that won't help. The people who need it the most won't read it. I'm starting to think that removing Auth-Type from 2.0 is a good idea.
I have just verified it is not necessary by commenting it out, thanks.
See?
I think you're saying at http://deployingradius.com/documents/configuration/auth_type.html that a default auth-type is not necessary and should not be set. Is that so ? In which case having
DEFAULT Auth-Type = System
in the users file in the FreeRADIUS tarball helps to get us off on the wrong foot :-)
Yes. That's been deleted in 2.0, and many of the modules updated, in order to make it even easier to get it to work. I think it's high time for 2.0. I've been waiting for a few fixes for entirely too long now... Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
See below... --- Alan DeKok <aland@deployingradius.com> wrote:
Phil Thompson <phil@yarwell.demon.co.uk> wrote:
no doubt, however it is interesting that many people come to a point where they make such a setting, don't you find.
At first, it appears to make sense to force MS-CHAP when you want to do MS-CHAP. Then, for some reason, everything else fails later.... and it's difficult to know why, because the server *is* doing what you told it to do. So you force it to do EAP, but then MS-CHAP breaks, and you're frustrated that it's so hard to configure.
If you could clarify why that is and fix it you wouldn't have to shout in mailing lists.
The reason for shouting it in mailing lists is that people *still* say it's a good thing to do, despite lots of documentation saying it's a bad idea, and near-daily messages on this list saying it's a bad idea.
And your solution is... more documentation? Sorry, that won't help. The people who need it the most won't read it.
I'm starting to think that removing Auth-Type from 2.0 is a good idea.
Is it feasible to disable access to setting it, unless it explicitly added or enabled in the FR configuration, much like the various auth modules themselves? Then, at least, a warning could appear in the "-X" output indicating "Manual AuthType access enabled" so to immediately identify someone has already tried breaking their server :) Laker
I have just verified it is not necessary by commenting it out, thanks.
See?
I think you're saying at
http://deployingradius.com/documents/configuration/auth_type.html
that a
default auth-type is not necessary and should not be set. Is that so ? In which case having
DEFAULT Auth-Type = System
in the users file in the FreeRADIUS tarball helps to get us off on the wrong foot :-)
Yes. That's been deleted in 2.0, and many of the modules updated, in order to make it even easier to get it to work.
I think it's high time for 2.0. I've been waiting for a few fixes for entirely too long now...
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Yes. That's been deleted in 2.0, and many of the modules updated, in order to make it even easier to get it to work.
I think it's high time for 2.0. I've been waiting for a few fixes for entirely too long now...
Alan DeKok.
If it is worth anything... We are running the latest CVS 2.0.0pre0 here with great success. Call me stupid for running a CVS in a production environment, but there are just some cool new features with 2.0 that aren't in the 1.1 branch. I am anxiously waiting 2.0 release. I have found one issue with it, I don't know if it is a bug (see my previous _unanswered_ post : read_groups in cvs) Thanks Alan for such a WONDERFUL product.
Hi all, Maybe my mail will be out of the discussion, but we plan in middle term to migrate an existing AAA system from a commercial software to FreeRADIUS. We already made a prototype to check the feasability (existing system performs authentication against Oracle database sotred procedures). The result of our analysis is that Auth-Type, Post-Auth-Type and Acct-Type are interesting features. Actually, we have several types of users (local prepaid, local postpaid, users to proxy to their home AAA, and postpaid and prepaid users connecting from other networks, so RADIUS traffic is received from a partner AAA). All authentication is planned to be done with custom modules, and in order to have good software maintenability, we plan to make 1 module per traffic type (local prepaid, local postpaid...) + 1 module for traffic identification. Therefore we are likely to use the Auth-Type (and thus Acct-Type) feature. Knowing that Auth-Type is likely to disappear may not be good news for our forseen implementation. Any comments will be welcome. Regards, Geof.
Geoffroy Arnoud <garnoud@yahoo.co.uk> wrote:
Maybe my mail will be out of the discussion, but we plan in middle term to migrate an existing AAA system from a commercial software to FreeRADIUS.
I don't mind hearing that. :)
All authentication is planned to be done with custom modules, and in order to have good software maintenability, we plan to make 1 module per traffic type (local prepaid, local postpaid...) + 1 module for traffic identification. Therefore we are likely to use the Auth-Type (and thus Acct-Type) feature.
OK... about the only times you need a custom authentication type are: a) you need to support a new authentication protocol b) you need to interact with another authentication server (e.g. ntlm_auth) If neither matches your systems, I'd think carefully about using Auth-Type. It's probably the wrong solution to the problem.
Knowing that Auth-Type is likely to disappear may not be good news for our forseen implementation.
The functionality won't go away, that's definite. However, it may be more difficult to use, for the simple reason that so many people get it wrong. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (5)
-
Alan DeKok -
Duane Cox -
Geoffroy Arnoud -
Laker Netman -
Phil Thompson