FreeRadius out of the box....

Phil Mayers p.mayers at
Wed Apr 5 10:46:09 CEST 2006

Tony Spencer wrote:
> On testing I found users still couldn't authenticate by PAP or CHAP, I 
> run "radiusd -X" and from what I could see its because of the Default 
> setting:
> DEFAULT Auth-Type = System
>         Fall-Through = 1

That is no longer in the default config in CVS. If/when it'll make it 
into a release version, one of the developers would have to reply.

> What do I need to change to get Freeradius to accept both PAP and CHAP 
> authentication?

Remove that entry for a start.

FR 1.0.1 isn't a version I have installed or the source knocking around 
for, but at least in current versions (fixed in CVS) the handling of PAP 
and Auth-Type is a little inconsistent - there's no authorize handler 
for PAP.

You want something like:

modules {
   pap {
     encryption_scheme = clear
   chap {
     authtype = CHAP
   # .. rest of modules
authorize {
authenticate {
   Auth-Type CHAP {
   Auth-Type PAP {

...and in "users":

username User-Password := "string", Auth-Type = PAP

...since the Auth-Type is set using "=" if Auth-Type is ALREADY CHAP 
from the chap module, it won't be changed. If it isn't set, it'll be set 
to PAP and executed appropriately.

More information about the Freeradius-Users mailing list