Auth-Type discussion

Laker Netman laker_netman at yahoo.com
Sat Aug 5 19:45:02 CEST 2006 

See below...

--- Alan DeKok <aland at deployingradius.com> wrote:

> Phil Thompson <phil at yarwell.demon.co.uk> wrote:
> > no doubt, however it is interesting that many
> people come to a point 
> > where they make such a setting, don't you find.
> 
>   At first, it appears to make sense to force
> MS-CHAP when you want to
> do MS-CHAP.  Then, for some reason, everything else
> fails
> later.... and it's difficult to know why, because
> the server *is*
> doing what you told it to do.  So you force it to do
> EAP, but then
> MS-CHAP breaks, and you're frustrated that it's so
> hard to configure.
> 
> > If you could clarify why that is and fix it you
> wouldn't have to
> > shout in mailing lists.
> 
>   The reason for shouting it in mailing lists is
> that people *still*
> say it's a good thing to do, despite lots of
> documentation saying it's
> a bad idea, and near-daily messages on this list
> saying it's a bad
> idea.
> 
>   And your solution is... more documentation? 
> Sorry, that won't help.
> The people who need it the most won't read it.
> 
>   I'm starting to think that removing Auth-Type from
> 2.0 is a good
> idea.

Is it feasible to disable access to setting it, unless
it explicitly added or enabled in the FR
configuration, much like the various auth modules
themselves?  Then, at least, a warning could appear in
the "-X" output indicating "Manual AuthType access
enabled" so to immediately identify someone has
already tried breaking their server :)

Laker

> 
> > I have just verified it is not necessary by
> commenting it out, thanks.
> 
>   See?
> 
> > I think you're saying at 
> >
>
http://deployingradius.com/documents/configuration/auth_type.html
> that a 
> >   default auth-type is not necessary and should
> not be set. Is that so ? 
> > In which case having
> > 
> > DEFAULT Auth-Type = System
> > 
> > in the users file in the FreeRADIUS tarball helps
> to get us off on the 
> > wrong foot :-)
> 
>   Yes.  That's been deleted in 2.0, and many of the
> modules updated,
> in order to make it even easier to get it to work.
> 
>   I think it's high time for 2.0.  I've been waiting
> for a few fixes
> for entirely too long now...
> 
>   Alan DeKok.
> --
>   http://deployingradius.com       - The web site of
> the book
>   http://deployingradius.com/blog/ - The blog
> - 
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

More information about the Freeradius-Users mailing list