> > Then there is a gross error in half of the documnetation. Even the
> > O'Reilly Radius book is showing it in the regroupreply, as
> > well as the infamous www.frontios.com/freeradius.html
(I'm 'infamous'... Wow...!)
www.frontios.com/freeradius.html was written a long time ago, based
purely on my own experiences and needs (i.e. learning, playing) getting
FreeRadius and MySQL working. It may well have been wrong at the time
(I was learning, still am), and as FreeRadius has progressed I'm sure
that any errors it has have been magnified... I really must re-write it
(or at least correct it when mistakes are known), but then there *is* a
book now too... ;-)
Admittedly, my own need is very limited (simple user and group auth with
MySQL holding all info, nothing else, no other fallback methods, no LDAP
or system auth etc) and the whole auth-type thing hurts when I think
about it... Heh...
Curious, I just did a quick test (FR 0.8.1):
My users file has nothing in it's DEFAULT section setting auth-type
(only some PPP parameters (?)). I have an 'auth-type=local' entry in
radgroupreply for each group we have. I removed the auth-type entry for
a test group from the database ... and a user in that group can still
log in just fine. Basically, there is now no auth-type set anywhere
explicitly for that user, their group, or DEFAULT, but it still seems to
work. I'm assuming that this is because, as it can't find one,
FreeRadius is defaulting to using an auth-type of 'local' (?) and thus
using the password returned by the only available authorisation module
('sql') for the user found (i.e the password held in radcheck) (?)
Someone pls correct me if I'm wrong, but otherwise then if I'm guessing
right then it seems that people *only* using MySQL can basically not
worry about having auth-types set (at least until FR enforces checking
one!).
I'm sure if you're doing more complex stuff you'll need to set it
appropriately... but I'm not, so I can't be sure...
Based on the feedback to this thread, I should probably adjust that web
page to indicate that the auth-type should go in rad(group)check and not
rad(group)reply, yes? (and I'm off to re-re-read the docs again...
Heh...)
SB
(scott at frontios dot com)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
