Auth-Type discussion

Alan DeKok aland at
Sat Aug 5 17:22:13 CEST 2006

Phil Thompson <phil at> wrote:
> no doubt, however it is interesting that many people come to a point 
> where they make such a setting, don't you find.

  At first, it appears to make sense to force MS-CHAP when you want to
do MS-CHAP.  Then, for some reason, everything else fails
later.... and it's difficult to know why, because the server *is*
doing what you told it to do.  So you force it to do EAP, but then
MS-CHAP breaks, and you're frustrated that it's so hard to configure.

> If you could clarify why that is and fix it you wouldn't have to
> shout in mailing lists.

  The reason for shouting it in mailing lists is that people *still*
say it's a good thing to do, despite lots of documentation saying it's
a bad idea, and near-daily messages on this list saying it's a bad

  And your solution is... more documentation?  Sorry, that won't help.
The people who need it the most won't read it.

  I'm starting to think that removing Auth-Type from 2.0 is a good

> I have just verified it is not necessary by commenting it out, thanks.


> I think you're saying at 
> that a 
>   default auth-type is not necessary and should not be set. Is that so ? 
> In which case having
> DEFAULT Auth-Type = System
> in the users file in the FreeRADIUS tarball helps to get us off on the 
> wrong foot :-)

  Yes.  That's been deleted in 2.0, and many of the modules updated,
in order to make it even easier to get it to work.

  I think it's high time for 2.0.  I've been waiting for a few fixes
for entirely too long now...

  Alan DeKok.
--       - The web site of the book - The blog

More information about the Freeradius-Users mailing list