On 01/18/2013 09:31 AM, Han Boetes wrote:
In the users file
DEFAULT Auth-Type = Kerberos
         Service-Type = NAS-Prompt-User, cisco-avpair = "shell:priv-lvl=15"

Be careful!

It's almost never a good idea to set the Auth-Type in the user config. Why? Because normally the server figures out the best Auth-Type to use for a given Auth-Request based on the contents of the Auth-Request packet. The contents of the Auth-Request packet depends exclusively on the configuration of the user's device, something you typically do not have control over (think of random user trying to connect with unknown device).

The FR server figures out which Auth-Type to use based on it's configuration and set of policy rules, all of which you can write.

The problem comes when a user sends an Auth-Request whose contents does not math the Auth-Type you've forced on them, then things will completely *fail*.

Using DEFAULT for the Auth-Type is even a more pernicious problem because you're saying apply this to everyone that lands in the default category.

There are a few Auth-Type's the server can't figure out on it's own, kerberos is one of them (because fundamentally it's no different than pap in terms of what the client sends). There are a number of approaches one can take to address this issue via policy configuration in the server, but I'm sorry to say I don't have time to document and test all those at the moment.

All I'm trying to say is what you've done above will work only in a very constrained scenario, it is not a general solution. The FreeRADIUS list is filled with folks attempts to force an Auth-Type in the users file only to discover their woes.

John Dennis <jden...@redhat.com>

Looking to carve out IT costs?

Freeipa-users mailing list

Reply via email to