"Roy, Daniel" <[EMAIL PROTECTED]> wrote:
> 1) valid userid and password should authorize and authenticate against
> SQL and MSCHAP ok;
That should work without any additional configuration.
> 2) valid userid but wrong password should authorize ok against SQL but
> fail authentication against MSCHAP; I want to configure freeRADIUS to
> proxy this failed Access-Request to another RADIUS server/service;
A fail-over section should work.
> 3) invalid userid (regardless of password) should return "notfound" when
> authorizing against SQL; again I want to configure freeRADIUS to proxy
> this failed Access-Request to another RADIUS server/service.
A fail-over section should work here, too.
> This one correctly proxies for wrong userids, but it unexpectedly
> replies with Access-Reject for correct userids and passwords even though
> sql returned "ok". I figured out freeRADIUS does this because my client
> is using mschap and radius doesn't find a User-Password or CHAP-Password
> attribute in the request.
Did you list the "mschap" module in the "authorize" section? It
will take care of setting Auth-Type := MSCHAP if it finds MSCHAP
attributes.
From the above description, it looks like the server has no
Auth-Type set, or an Auth-Type of Local, in which case all it can do
is PAP & CHAP.
> So I changed "ok = return" to "ok = 1" and added an mschap section
> to authorize:
The first change shouldn't have happened. The second is OK.
Try using "ok = return", and listing "mschap" in "authorize", before
the group{} thing. That should work.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
