Andreas Haumer <[EMAIL PROTECTED]> wrote: > 2.2) The FreeRADIUS server ist set up to support MSCHAPv2 authentication. > This is not trivial and requires some fiddling.
Absolutely not. If you configure a user && clear-text password, then MSCHAPv2 authentication will work the first time you try it in the default configuration. > 2.2.3) in radiusd.conf I have the authorized and authenticate > sections configured as follows: Please, please, edit those sections AS LITTLE AS POSSIBLE. The more edits people make to those sections, the more likely they are to break the server. The intent is that in order to use various modules, they should be simple uncommented. > IMHO there are two important parts here: > a) in the authorize section I have the "ldap" module and the "mschap" > module following immediately They are in the reverse order in the the default "radiusd.conf". Switching the order makes it more difficult for the server to figure out what to do. > b) in the "authenticate" section there is only the "mschap" module listed. This means PAP, CHAP, and EAP won't work. > As far as I can tell this works quite fine. If anyone wants to > comment this setup or has some tips and improvements I would > be happy to hear. Perhaps we can collect all the information and > write an up-to-date HOWTO for this kind of application. A "howto" is: CHANGE AS LITTLE AS POSSIBLE IN THE DEFAULT CONFIGURATION. The default configuration was created by people with years of experience using FreeRADIUS, who understand the internals very well (often having programmed them.) If you think you can do a better job, you should ensure that you understand exactly what you're doing. > > 1.) Most important: I still do not really understand all the > configuration details of freeradius. There are still lots > of mystic configuration attributes and I don't know if I > need all of them or not. This makes me nervous I don't see what's "mystic". The configuration files contain a lot of comments describing what the configuration attributes are, and what they do. > 2.) I want to have the VPN users in several different access > groups. I currently do not know how to set up this in a > elegant way. "man rlm_passwd" Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
