Using the Auth-Type Attribute

The first, and foremost recommendation for using the Auth-Type attribute is the following:

Don't use it.

The default configuration of the server, as shipped, works with the widest possible variety of authentication protocols. That is, so long as the server has a clear-text password for the user, the following authentication protocols will work out of the box:

If the server is configured with a certificate for EAP-TLS, the following authentication protocols will also work:

That is, the server will look at the incoming packet, and use the clear-text password to just do the right thing. If we look at that list again, it's clear that setting Auth-Type to any value will break the servers ability to perform some, if not all of the above authentication protocols. That's why we recommend that you not use the Auth-Type attribute.

When can it be used?

The major uses for manually Auth-Type are the following two situations:

There are so few other situations where Auth-Type is a good idea that we won't discuss them here. Instead, we recommend asking questions on the freeradius-users mailing list. Describe your needs in detail, and someone should be able to help you

Common misuses of Auth-Type

A common misuse of Auth-Type is to force particular kind of authentication to be used. We do not recommend that kind of configuration, as it is fragile and prone to errors. Instead, we recommend rejecting attempts to do any other kind of authentication. For example, the following users file entry will reject any authentication attempt that does not use MS-CHAP authentication:

DEFAULT MS-CHAP-Challenge !* 0x00, Auth-Type := Reject
        Reply-Message = "You must use MS-CHAP"

This configuration is more robust, and will generate more meaningful log messages when the local policy has to be debugged