> > Then there is a gross error in half of the documnetation. Even the > > O'Reilly Radius book is showing it in the regroupreply, as > > well as the infamous www.frontios.com/freeradius.html
(I'm 'infamous'... Wow...!) www.frontios.com/freeradius.html was written a long time ago, based purely on my own experiences and needs (i.e. learning, playing) getting FreeRadius and MySQL working. It may well have been wrong at the time (I was learning, still am), and as FreeRadius has progressed I'm sure that any errors it has have been magnified... I really must re-write it (or at least correct it when mistakes are known), but then there *is* a book now too... ;-) Admittedly, my own need is very limited (simple user and group auth with MySQL holding all info, nothing else, no other fallback methods, no LDAP or system auth etc) and the whole auth-type thing hurts when I think about it... Heh... Curious, I just did a quick test (FR 0.8.1): My users file has nothing in it's DEFAULT section setting auth-type (only some PPP parameters (?)). I have an 'auth-type=local' entry in radgroupreply for each group we have. I removed the auth-type entry for a test group from the database ... and a user in that group can still log in just fine. Basically, there is now no auth-type set anywhere explicitly for that user, their group, or DEFAULT, but it still seems to work. I'm assuming that this is because, as it can't find one, FreeRadius is defaulting to using an auth-type of 'local' (?) and thus using the password returned by the only available authorisation module ('sql') for the user found (i.e the password held in radcheck) (?) Someone pls correct me if I'm wrong, but otherwise then if I'm guessing right then it seems that people *only* using MySQL can basically not worry about having auth-types set (at least until FR enforces checking one!). I'm sure if you're doing more complex stuff you'll need to set it appropriately... but I'm not, so I can't be sure... Based on the feedback to this thread, I should probably adjust that web page to indicate that the auth-type should go in rad(group)check and not rad(group)reply, yes? (and I'm off to re-re-read the docs again... Heh...) SB (scott at frontios dot com) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html