InkBridge Networks - A new name for Network RADIUS

The FreeRADIUS Auth-Type attribute

Why you should avoid using it

The FreeRADIUS Auth-Type attribute is often misunderstood and misused. There are actually very few situations where this attribute should be manipulated at all.

Rule 1: Don’t use the Auth-Type attribute

This is the first rule and really, the only rule. If you’re unsure about whether or not you should use the Auth-Type attribute, you shouldn’t.

Seriously. Just don’t. Here’s why.

Why Auth-TYPE disrupts FreeRADIUS authentication

The default configuration of the server, as shipped, works with the widest possible variety of authentication protocols. That is, as long as the server has a clear-text password for the user, the following authentication protocols will work out of the box:

  • PAP
  • CHAP
  • MS-CHAPv1
  • MS-CHAPv2
  • HTTP Digest
  • EAP-GTC
  • EAP-MD5
  • EAP-MS-CHAP

If the server is configured with a certificate for EAP-TLS, the following authentication protocols will also work:

  • EAP-TLS
  • EAP-TTLS, with tunnelled:
    • PAP
    • CHAP
    • MS-CHAPv1
    • MS-CHAPv2
    • EAP-GTC
    • EAP-MD5
    • EAP-MS-CHAP
  • EAP-PEAP, with tunnelled:
    • EAP-GTC
    • EAP-MD5
    • EAP-MS-CHAP

That is, the server will look at the incoming packet and use the clear-text password to just do the right thing. If we look at that list again, it’s clear that setting Auth-Type to any value will break the server's ability to perform some, if not all, of the above authentication protocols. That’s why we recommend that you not use the Auth-Type attribute.

How not to use Auth-Type: common misconfigurations in FreeRADIUS

A common misuse of Auth-Type is to force a particular kind of authentication to be used. We do not recommend that kind of configuration, as it is fragile and prone to errors.

Instead, we recommend rejecting attempts to do any other kind of authentication.

For example, the following users file entry will reject any authentication attempt that does not use MS-CHAP authentication:

DEFAULT MS-CHAP-Challenge !* 0x00, Auth-Type := Reject
    Reply-Message = "You must use MS-CHAP"

This configuration is more robust, and will generate more meaningful log messages when the local policy has to be debugged.

Note: In some cases, using the Auth-Type attribute to force a particular authentication can be used for testing purposes only as described in our guide to configuring FreeRADIUS with Active Directory . This approach should be used cautiously however, and the Auth-Type testing text should be removed as soon the desired test is complete.

Legitimate uses for FreeRADIUS Auth-Type

The primary legitimate uses for manually Auth-Type are the following two situations:

  • Force the user to be accepted: just use accept.
  • Force the user to be rejected: just use reject.

This usage might come up in a scenario in which you want to allow a user online even if their password is incorrect, usually in some kind of “captive” portal.

Note that simply saying accept will not work for MS-CHAP and EAP. Those protocols do all kinds of “behind the scenes” calculations based on data exchanged during a successful authentication. If that process is bypassed, then the data won’t be exchanged, and the end-user system will not know how to process any short-circuit accept, and will treat is as a reject.

There are so few other situations where Auth-Type is a good idea that we won’t discuss them here. Instead, we recommend asking questions on the freeradius-users mailing list. Describe your needs in detail, and someone should be able to help you.


Need more help?


InkBridge Networks has been at the forefront of network security for over two decades, tackling complex challenges across various protocols and infrastructures. Our team of seasoned experts has encountered and solved nearly every conceivable network security issue. If you're looking for insights from the architects behind some of the internet's most foundational authentication systems, you can request a quote for network security solutions here


Related Articles

RADIUS protocol and password compatibility

In order for RADIUS authentication to work, user passwords need to be stored in a format that is understood by the authentication protocol used by the client. Unfortunately, not all protocols work with all password storage formats. This can be especially problematic with platforms that use proprietary formats or protocols.

How to connect FreeRADIUS to Active Directory for authentication

Active Directory is widely used in the enterprise and university systems. This article describes how to connect FreeRADIUS with Active Directory, allowing you to authenticate users against your existing directory service while leveraging the power of your RADIUS server for network access control.

in Blog