Must set auth-type - but why?
Alan DeKok
aland at deployingradius.com
Fri May 11 13:47:05 CEST 2007
John Horne wrote:
> bob Auth-Type = Local,User-Password := "abc",Proxy-To-Realm := LOCAL
Don't set Auth-Type. Use "Cleartext-Password", not "User-Password".
The entry should look like:
bob Cleartext-Password := "abc", Proxy-To-Realm := LOCAL
> Whilst trying to sort this out, I noted Alan DeKok's comments (in the
> list archives) that generally Auth-Type does not need to be set (or
> indeed should *not* be set), and that FR will do the right thing. I am,
> therefore, a bit concerned that in this instance it seems that Auth-Type
> must be set for FR to work. I am wondering if this is because I have
> perhaps made some other error in the radiusd.conf file.
It's not necessary. The rest of the documentation says that you
should use Cleartext-Password.
See "man rlm_pap" for more information.
> So my question is, does anyone have an explanation for this behaviour?
> Obviously it is great that our 'users' files entries work under
> FreeRadius 1.1.6 with only a minor change. However, since generally
> Auth-Type should not be required, it is a worry that we *have* to set it
> to get FR to work. Since the radiusd output shows that FR sees this is
> an MS-CHAP request, I would have thought it would handle it correctly.
> It doesn't, but instead treats it as a 'Local' type request.
You have to set Auth-Type in your example only because you're using
User-Password. You should be using Cleartext-Password instead.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
More information about the Freeradius-Users
mailing list