1rlm_mschap(5)                  FreeRADIUS Module                 rlm_mschap(5)
2
3
4

NAME

6       rlm_mschap - FreeRADIUS Module
7

DESCRIPTION

9       The  rlm_mschap  module  provides  MS-CHAP and MS-CHAPv2 authentication
10       support.
11
12       This module validates a user with MS-CHAP or MS-CHAPv2  authentication.
13       It  should  be  listed in both the authorize and authenticate sections.
14       In authorize, it will look for MS-CHAP Challenge/Response attributes in
15       the Acess-Request, and configure itself to be the module called for the
16       authenticate section.
17
18       The module can authenticate the MS-CHAP session  via  plain-text  pass‐
19       words   (User-Password   attribute),   or   NT  passwords  (NT-Password
20       attribute).  The module can perform authentication against an NT domain
21       by using the ntlm_auth program.
22

SMB Integration

24       The module also enforces the SMB-Account-Ctrl attribute.  See the Samba
25       documentation for the meaning of SMB account control.  The module  does
26       not  read  Samba password files.  Instead, the rlm_passwd module should
27       be used to read a Samba password file, and  to  supply  an  NT-Password
28       attribute  which  this module can use.  See the etc_smbpasswd module in
29       radiusd.conf for more details.
30

MODULE CONFIGURATION

32       The main configuration items to be aware of are:
33
34       use_mppe
35              Unless this is set to 'no', FreeRADIUS  will  add  MS-CHAP-MPPE-
36              Keys for MS-CHAPv1 and MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-
37              CHAPv2.  The default is 'yes'.
38
39       require_encryption
40              If MPPE is enabled, setting this attribute to 'yes'  will  cause
41              the  MS-MPPE-Encryption-Policy  attribute  to  be set to require
42              encryption.  The default is 'no'.
43
44       require_strong
45              If MPPE is enabled, setting this attribute to 'yes'  will  cause
46              the  MS-MPPE-Encryption-Types  attribute  to be set to require a
47              128 bit key.  The default is 'no'.
48
49       with_ntdomain_hack
50              Windows clients send User-Name in the form of "DOMAIN\User", but
51              send  the  challenge/response  based  only  on the User portion.
52              Setting this value to yes, enables a work-around for this error.
53              The default is 'no'.
54
55       ntlm_auth
56              Use the ntlm_auth program for authentication against Samba, or a
57              Windows NT or Active Directory Domain Controller.   For  machine
58              authentication,  the  following  configuration  should  be used:
59              ntlm_auth   =   "/path/to/ntlm_auth    --username=%{mschap:User-
60              Name:-None}       --challenge=%{mschap:Challenge:-00}      --nt-
61              response=%{mschap:NT-Response:-00}         --domain=%{mschap:NT-
62              Domain:-YOUR_DEFAULT_DOMAIN}   If   configured,  ntlm_auth  will
63              always be called, even if there is a clear-text  or  NT-Password
64              available  for the user.  You can force ntlm_auth to not be used
65              by setting MS-CHAP-Use-NTLM-Auth := No in the users file, or  in
66              a database such as SQL.
67

SECTIONS

69       authorization, authentication
70

FILES

72       /etc/raddb/radiusd.conf
73

SEE ALSO

75       radiusd(8), radiusd.conf(5)
76

AUTHOR

78       Chris Parker, cparker@segv.org
79
80
81
82
83                                  19 May 2006                    rlm_mschap(5)
Impressum