Post Auth and Logging Multiple MSCHAP modules

Matthew Newton matthew at
Mon Jun 5 17:11:56 CEST 2017

On Mon, Jun 05, 2017 at 10:45:55AM -0400, Alan DeKok wrote:
>   You *should* be deciding what domain to use up front, and
>   then selecting the appropriate MS-CHAP module based on that.
>   That way, the "mschap-a" module doesn't get overloaded with
>   requests which really should be for "mschap-b"

About the only time I've found this useful is in the transition
stage between two AD domains when the list of users in each
domain is changing rapidly as they move over. But this is just a
temporary configuration.

In that situation, however, nobody cares about *where* the auth
is actually going. And at the end of the move the old mschap
config is just removed.

Other than that, different realms or an LDAP lookup can easily
find the right domain to authenticate against first.


More information about the Freeradius-Users mailing list