setting auth type
Alan DeKok
aland at deployingradius.com
Tue May 31 23:20:13 UTC 2022
On May 31, 2022, at 4:29 PM, Luke Smith <LukeS at coloradovalley.com> wrote:
> I'm trying to get several of my systems to work with radius and I'm noticing they are trying to authenticate via pap and I have no option to change it.
If the systems only do PAP, then that's what they do. But the good news is that PAP is generally the best / most compatible authentication method to use.
> However, in looking at the below debug output from radius it looks like radius is denying it before it is even getting to pa. I'd honestly like to setup an "allow all" as long as the AD user/pass combo works but I can't find anything about setting this up.
If the username exists, and the password matches, the server will send an Access-Accept.
> ..
> rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 10.1.48-MariaDB, protocol version 10
> (0) [sql] = notfound
The user isn't found in SQL.
> (0) [expiration] = noop
> (0) [logintime] = noop
> (0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
> (0) pap: WARNING: Authentication will fail unless a "known good" password is available
> (0) [pap] = noop
> (0) } # authorize = ok
> (0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
And therefore the user is rejected.
If you want to use Active Directory, there are extensive howto's on my web site:
http://deployingradius.com/
Alan DeKok.
More information about the Freeradius-Users
mailing list