1rlm_mschap(5)                  FreeRADIUS Module                 rlm_mschap(5)
2
3
4

NAME

6       rlm_mschap - FreeRADIUS Module
7

DESCRIPTION

9       The  rlm_mschap  module  provides  MS-CHAP and MS-CHAPv2 authentication
10       support.
11
12       This module validates a user with MS-CHAP or MS-CHAPv2  authentication.
13       If  called  in  Authorize,  it will look for MS-CHAP Challenge/Response
14       attributes in the Acess-Request and adds an Auth-Type attribute set  to
15       MS-CHAP in the Config-Items list unless Auth-Type has already set.
16
17       The  module  can  authenticate the MS-CHAP session via plain-text pass‐
18       words  (User-Password  attribute),   or   NT   passwords   (NT-Password
19       attribute).   The  module  cannot  perform authentication against an NT
20       domain.
21
22       The module also enforces the SMB-Account-Ctrl attribute.  See the Samba
23       documentation  for the meaning of SMB account control.  The module does
24       not read Samba password files.  Instead, the fIrlm_passwd module can be
25       used to read a Samba password file, and supply an NT-Password attribute
26       which this module can use.
27
28       The main configuration items to be aware of are:
29
30       authtype
31              This is the string used to set the authtype.  Normally it should
32              be left to the default value of MS-CHAP.
33
34       use_mppe
35              Unless  this  is  set to 'no', FreeRADIUS will add MS-CHAP-MPPE-
36              Keys for MS-CHAPv1 and MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-
37              CHAPv2.  The default is 'yes'.
38
39       require_encryption
40              If  MPPE  is enabled, setting this attribute to 'yes' will cause
41              the MS-MPPE-Encryption-Policy attribute to  be  set  to  require
42              encryption.  The default is 'no'.
43
44       require_strong
45              If  MPPE  is enabled, setting this attribute to 'yes' will cause
46              the MS-MPPE-Encryption-Types attribute to be set  to  require  a
47              128 bit key.  The default is 'no'.
48
49       with_ntdomain_hack
50              Windows clients send User-Name in the form of "DOMAIN\User", but
51              send the challenge/response based  only  on  the  User  portion.
52              Setting this value to yes, enables a work-around for this error.
53              The default is 'no'.
54

CONFIGURATION

56       modules {
57         ...
58         mschap {
59            authtype = MS-CHAP
60            use_mppe = yes
61         }
62         ...
63       }
64        ...
65       authorize {
66         ...
67         mschap
68         ...
69       }
70        ...
71       authenticate {
72         ...
73         mschap
74         ...
75       }
76

SECTIONS

78       authorization, authentication
79

FILES

81       /etc/raddb/radiusd.conf
82

SEE ALSO

84       radiusd(8), radiusd.conf(5)
85

AUTHOR

87       Chris Parker, cparker@segv.org
88
89
90
91
92                                 13 March 2004                   rlm_mschap(5)