Radius Server refusing to MS-CHAP
Phil Mayers
p.mayers at imperial.ac.uk
Sat Jan 13 02:43:36 CET 2007
Evan Vittitow wrote:
> DEFAULT Auth-Type := MS-CHAP
> Fall-Through = 1
>
> Thats what it is set too, should it be something else?
The ONLY circumstances you should set Auth-Type to ANYTHING are (in
order of probability):
1. Setting it to Reject to refuse authentication e.g. based on group
2. Setting it to Accept for PAP requests which you wish to permit-all
e.g. MAC-based authentication
3. Setting it (in old versions of the server) for the few modules
which don't set it to themselves - namely, PAP
Basically - DON'T set it. Delete that entry from the users file
completely. Let the server figure it out, it will do the right thing if
configured correctly.
>
> Also, do you know how to have pppd use Client side PEAP? Maybe I can
> skip MS-CHAP and use PEAP for both PPTP and 802.1X
Not sure - you'd have to consult the pppd docs. In theory it's possible,
but I know of no-one using it, and I'm not sure it interacts correctly
with PPTP.
More information about the Freeradius-Users
mailing list