Radius Server refusing to MS-CHAP

Phil Mayers p.mayers at imperial.ac.uk
Sat Jan 13 02:43:36 CET 2007

Evan Vittitow wrote:
> DEFAULT Auth-Type := MS-CHAP
>     Fall-Through = 1
> Thats what it is set too, should it be something else?

The ONLY circumstances you should set Auth-Type to ANYTHING are (in 
order of probability):

  1. Setting it to Reject to refuse authentication e.g. based on group
  2. Setting it to Accept for PAP requests which you wish to permit-all 
e.g. MAC-based authentication
  3. Setting it (in old versions of the server) for the few modules 
which don't set it to themselves - namely, PAP

Basically - DON'T set it. Delete that entry from the users file 
completely. Let the server figure it out, it will do the right thing if 
configured correctly.

> Also, do you know how to have pppd use Client side PEAP? Maybe I can
> skip MS-CHAP and use PEAP for both PPTP and 802.1X

Not sure - you'd have to consult the pppd docs. In theory it's possible, 
but I know of no-one using it, and I'm not sure it interacts correctly 
with PPTP.

More information about the Freeradius-Users mailing list