Trouble with FR3 users file format

Diggins Mike diggins at
Tue Jan 1 21:22:08 CET 2019

Hello and Happy New Year!

I am building a new FR3 server running the latest version to replace my FR2 server. Both authenticate users using ntlm-auth only and Radtest confirms that is working for PAP and MSCHAP. However, my ported users file seems to be causing a change in behaviour. This is what the users file looks like (from FR2). 

userid2		Auth-Type = ntlm_auth
                   	Reply-Message = "attr1, attr2"
guest002           	Auth-Type = ntlm_auth
                   	Reply-Message = "attr1, attr2"
userid3            	Auth-Type = ntlm_auth
                   	Reply-Message = "attr1, attr2"
userid4            	Auth-Type = ntlm_auth
                 	Reply-Message = "attr1, attr2"
DEFAULT	Auth-Type = ntlm_auth

Only some of my users are in this file and have reply attributes. All other users also use ntlm_auth but have no reply attributes and are not listed in the file. Again, this worked in FR2.

Using the same file in FR3, authentication works correctly whether the user is in the file or not which is correct. However, I do not get the Reply-Message attributes in the reply unless the user happens to be the very first one listed in the file (userid2 in this case). guest002 gets nothing returned nor do any of the others.

If I remove the DEFAULT statement at the end of the file, any user in the users file authenticates correctly and gets the proper attributes returned in the Reply-Message. However, anyone not in the users file can no longer authenticate using PAP. Only MSCHAP works. I have users using both methods but no local passwords on the FR server.

It seems redundant to specify the ntlm_auth type for every user in my users file given that's the only available option for authentication. Is there a correct way to do this and restore the previous behaviour?


More information about the Freeradius-Users mailing list