allowing multiple Auth-Type in authorize file

Niels Tomey niels at
Sat Mar 23 15:28:19 CET 2019


I’ve set up freeradius 3.0.17 quite some time ago to process ssh logins
based on LDAP/AD accounts (with group membership in post-auth) and this
works fine. I followed the guide on (,
but haven’t implemented the mschap section as I didn’t need it at the time.

Now I am running into this need and I was trying to figure out why it
wasn’t working only to discover that I left the

DEFAULT     Auth-Type = ntlm_auth

Line in the mods-config/files/authorize file. As expected this breaks my
attempts to include mschap.

My problem is that this is the only non-commented line in the entire file,
so rather than just delete the line I need to enter some other information
here to prevent the

ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject

In the comments in the file it states that multiple DEFAULTs can be used
with Fall-Through so I tried this:

DEFAULT              Auth-Type = ntlm_auth

Fall-Through = Yes

DEFAULT              Auth-Type = mschap

But this doesn’t work. What is the best approach for this? I would like to
avoid having to name my users here since they are in ldap already and I
don’t know if a device will only authenticate using mschap or not (e.g. it
will be difficult to split this out in the clients.conf file).

My google skills are letting me down on this, some pointers in the right
direction would be very much appreciated.



More information about the Freeradius-Users mailing list