allowing multiple Auth-Type in authorize file

Alan DeKok aland at
Sat Mar 23 19:54:34 CET 2019

On Mar 23, 2019, at 10:28 AM, Niels Tomey <niels at> wrote:
> I’ve set up freeradius 3.0.17 quite some time ago to process ssh logins
> based on LDAP/AD accounts (with group membership in post-auth) and this
> works fine. I followed the guide on (
> but haven’t implemented the mschap section as I didn’t need it at the time.


> Now I am running into this need and I was trying to figure out why it
> wasn’t working only to discover that I left the
> DEFAULT     Auth-Type = ntlm_auth
> Line in the mods-config/files/authorize file. As expected this breaks my
> attempts to include mschap.

  Yes.  You can set that only if there's no MS-CHAP attributes.

> My problem is that this is the only non-commented line in the entire file,
> so rather than just delete the line I need to enter some other information
> here to prevent the
> ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject


> In the comments in the file it states that multiple DEFAULTs can be used
> with Fall-Through so I tried this:
> DEFAULT              Auth-Type = ntlm_auth
> Fall-Through = Yes
> DEFAULT              Auth-Type = mschap
> But this doesn’t work.

  Yes.  Don't set multiple Auth-Types.

  Plus, the "users" file can't really do complex if / then / else checks.  Use "unlang" for that.

> What is the best approach for this? I would like to
> avoid having to name my users here since they are in ldap already and I
> don’t know if a device will only authenticate using mschap or not (e.g. it
> will be difficult to split this out in the clients.conf file).

  Delete the Auth-Type entries from mods-config/files/authorize .  Then edit sites-enabled/default:

authorize {
	mschap	# sets Auth-Type mschap for MSCHAP stuff...

	# If it's PAP, use ntlm_auth
	if (User-Password) {
		update control {
			Auth-Type := ntlm_auth

  That should work.

  Alan DeKok.

More information about the Freeradius-Users mailing list