3.28.18. AuthenProto Previous topic Parent topic Child topic Next topic

AuthenProto specifies which authentication protocols are permitted for authentication. It is an optional parameter. AuthenProto is available for all AuthBy modules but its functionality depends on the specific AuthBy. It does not affect proxying or special AuthBy modules, such as <AuthBy INTERNAL> which do their own request handling.
If the authentication request is rejected because of this parameter setting, the failure is logged as a WARNING in Radiator log, and available for all AuthLog clauses as the failure reason.
Allowed values for AuthenProto are:
  • PAP
  • CHAP
  • MSCHAP
  • MSCHAPv2
  • SIPDigest
  • EAP
  • AuthorizeOnly
  • Unknown
The default value is PAP, CHAP, MSCHAP, MSCHAPv2, EAP, AuthorizeOnly. The value is AuthorizeOnly if the request does not match any of the other values but has Service-Type attribute set to Authorize-Only. The value is Unknown when the authentication protocol cannot be determined. The default for AuthenProto covers the usual user authentication protocols. Add Unknown to those AuthBys that need to handle the authentication requests that do not have the correct combination of any of the following:
  • CHAP attributes
  • MSCHAP attributes
  • MSCHAPv2 attributes
  • User-Password attribute
  • EAP-Message attributes
  • Service-Type attribute set to Authorize-Only
Here is an example of using AuthenProto:
# Allow PAP only
AuthenProto PAP

# Allow all CHAP variants
AuthenProto CHAP,MSCHAP,MSCHAPv2

# Empty list allows nothing
AuthenProto

# Unknown allows anything else. This allows PAP and requests that are not
# CHAP, MSCHAP, MSCHAPv2, SIPDigest, EAP or AuthorizeOnly
AuthenProto PAP, Unknown