Using the Auth-Type Attribute
The first, and foremost recommendation for using the
Auth-Type attribute is the following:
Don't use it.
The default configuration of the server, as shipped, works with the widest possible variety of authentication protocols. That is, so long as the server has a clear-text password for the user, the following authentication protocols will work out of the box:
- PAP
- CHAP
- MS-CHAPv1
- MS-CHAPv2
- HTTP Digest
- EAP-GTC
- EAP-MD5
- EAP-MS-CHAP
- EAP-TLS
- EAP-TTLS, with tunneled:
- PAP
- CHAP
- MS-CHAPv1
- MS-CHAPv2
- EAP-GTC
- EAP-MD5
- EAP-MS-CHAP
- EAP-PEAP, with tunneled:
- EAP-GTC
- EAP-MD5
- EAP-MS-CHAP
That is, the server will look at the incoming packet, and use the
clear-text password to just do the right thing. If we look
at that list again, it's clear that setting Auth-Type to
any value will break the servers ability to perform some, if
not all of the above authentication
protocols. That's why we recommend that you not use the
Auth-Type attribute.
When can it be used?
The major uses for manually Auth-Type are the
following two situations:
- Force the user to be accepted:
Auth-Type := Accept - Force the user to be rejected:
Auth-Type := Reject
There are so few other situations where Auth-Type is a
good idea that we won't discuss them here. Instead, we recommend
asking questions on the freeradius-users
mailing list. Describe your needs in detail, and someone should be
able to help you
Common misuses of Auth-Type
A common misuse of Auth-Type is to force particular
kind of authentication to be used. We do not recommend that kind of
configuration, as it is fragile and prone to errors. Instead, we
recommend rejecting attempts to do any other kind of authentication.
For example, the following users file entry will reject
any authentication attempt that does not use MS-CHAP authentication:
Reply-Message = "You must use MS-CHAP"
This configuration is more robust, and will generate more meaningful log messages when the local policy has to be debugged