rlm_mschap man page

rlm_mschap — FreeRADIUS Module

Description

The rlm_mschap module provides MS-CHAP and MS-CHAPv2 authentication support.

This module validates a user with MS-CHAP or MS-CHAPv2  authentication. If called in Authorize, it will look for MS-CHAP Challenge/Response attributes in the Acess-Request and adds an Auth-Type attribute set to MS-CHAP in the Config-Items list unless  Auth-Type has already set.

The module can authenticate the MS-CHAP session via plain-text passwords (User-Password attribute), or NT passwords (NT-Password attribute).  The module cannot perform authentication against an NT domain.

The module also enforces the SMB-Account-Ctrl attribute.  See the Samba documentation for the meaning of SMB account control.  The module does not read Samba password files.  Instead, the fIrlm_passwd module can be used to read a Samba password file, and supply an NT-Password attribute which this module can use.

The main configuration items to be aware of are:

authtype

This is the string used to set the authtype.  Normally it should be left to the default value of MS-CHAP.

use_mppe

Unless this is set to 'no', FreeRADIUS will add MS-CHAP-MPPE-Keys for MS-CHAPv1 and MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2.  The default is 'yes'.

require_encryption

If MPPE is enabled, setting this attribute to 'yes' will cause the MS-MPPE-Encryption-Policy attribute to be set to require encryption. The default is 'no'.

require_strong

If MPPE is enabled, setting this attribute to 'yes' will cause the MS-MPPE-Encryption-Types attribute to be set to require a 128 bit key. The default is 'no'.

with_ntdomain_hack

Windows clients send User-Name in the form of "DOMAIN\User", but send the challenge/response based only on the User portion.  Setting this value to yes, enables a work-around for this error.  The default is 'no'.

Configuration

modules {
  ...
  mschap {
	authtype = MS-CHAP
	use_mppe = yes	
  }
  ...
}
 ...
authorize {
  ...
  mschap
  ...
}
 ...
authenticate {
  ...
  mschap
  ...
}

Sections

authorization, authentication

Files

/etc/raddb/radiusd.conf

See Also

radiusd(8), radiusd.conf(5)

Author

Chris Parker, cparker@segv.org

Info

13 March 2004 FreeRADIUS Module