Index Index for
Section 5
Index Alphabetical
listing for R
Bottom of page Bottom of
page		 

rlm_mschap(5)


NAME

  rlm_mschap - FreeRADIUS Module


DESCRIPTION

  The rlm_mschap module provides MS-CHAP and MS-CHAPv2 authentication
  support.

  This module validates a user with MS-CHAP or MS-CHAPv2 authentication.  It
  should be listed in both the authorize and authenticate sections.  In
  authorize, it will look for MS-CHAP Challenge/Response attributes in the
  Acess-Request, and configure itself to be the module called for the
  authenticate section.

  The module can authenticate the MS-CHAP session via plain-text passwords
  (User-Password attribute), or NT passwords (NT-Password attribute).  The
  module can perform authentication against an NT domain by using the
  ntlm_auth program.


SMB Integration

  The module also enforces the SMB-Account-Ctrl attribute.  See the Samba
  documentation for the meaning of SMB account control.	 The module does not
  read Samba password files.  Instead, the rlm_passwd module should be used
  to read a Samba password file, and to supply an NT-Password attribute which
  this module can use.	See the etc_smbpasswd module in radiusd.conf for more
  details.


MODULE CONFIGURATION

  The main configuration items to be aware of are:

  use_mppe
       Unless this is set to 'no', FreeRADIUS will add MS-CHAP-MPPE-Keys for
       MS-CHAPv1 and MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2.  The
       default is 'yes'.

  require_encryption
       If MPPE is enabled, setting this attribute to 'yes' will cause the
       MS-MPPE-Encryption-Policy attribute to be set to require encryption.
       The default is 'no'.

  require_strong
       If MPPE is enabled, setting this attribute to 'yes' will cause the
       MS-MPPE-Encryption-Types attribute to be set to require a 128 bit key.
       The default is 'no'.

  with_ntdomain_hack
       Windows clients send User-Name in the form of "DOMAIN\User", but send
       the challenge/response based only on the User portion.  Setting this
       value to yes, enables a work-around for this error.  The default is
       'no'.

  ntlm_auth
       Use the ntlm_auth program for authentication against Samba, or a
       Windows NT or Active Directory Domain Controller.  For machine
       authentication, the following configuration should be used:

       ntlm_auth = "/path/to/ntlm_auth --username=%{mschap:User-Name:-None} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} --domain=%{mschap:NT-Domain:-YOUR_DEFAULT_DOMAIN}
  If configured, ntlm_auth will always be called, even if there is a clear-
  text or NT-Password available for the user.  You can force ntlm_auth to not
  be used by setting

       MS-CHAP-Use-NTLM-Auth := No
  in the users file, or in a database such as SQL.


SECTIONS

  authorization, authentication


FILES

  /etc/raddb/radiusd.conf


SEE ALSO

  radiusd(8), radiusd.conf(5)


AUTHOR

  Chris Parker, cparker@segv.org

Index Index for
Section 5
Index Alphabetical
listing for R
Top of page Top of
page