Man Linux: Main Page and Category List

NAME

       rlm_mschap - FreeRADIUS Module

DESCRIPTION

       The  rlm_mschap  module  provides  MS-CHAP and MS-CHAPv2 authentication
       support.

       This module validates a user with MS-CHAP or MS-CHAPv2  authentication.
       If  called  in  Authorize,  it will look for MS-CHAP Challenge/Response
       attributes in the Acess-Request and adds an Auth-Type attribute set  to
       MS-CHAP in the Config-Items list unless Auth-Type has already set.

       The   module  can  authenticate  the  MS-CHAP  session  via  plain-text
       passwords  (User-Password  attribute),  or  NT  passwords  (NT-Password
       attribute).   The  module  cannot  perform authentication against an NT
       domain.

       The module also enforces the SMB-Account-Ctrl attribute.  See the Samba
       documentation  for the meaning of SMB account control.  The module does
       not read Samba password files.  Instead, the fIrlm_passwd module can be
       used to read a Samba password file, and supply an NT-Password attribute
       which this module can use.

       The main configuration items to be aware of are:

       authtype
              This is the string used to set the authtype.  Normally it should
              be left to the default value of MS-CHAP.

       use_mppe
              Unless  this  is  set to ’no’, FreeRADIUS will add MS-CHAP-MPPE-
              Keys for MS-CHAPv1 and MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-
              CHAPv2.  The default is ’yes’.

       require_encryption
              If  MPPE  is enabled, setting this attribute to ’yes’ will cause
              the MS-MPPE-Encryption-Policy attribute to  be  set  to  require
              encryption.  The default is ’no’.

       require_strong
              If  MPPE  is enabled, setting this attribute to ’yes’ will cause
              the MS-MPPE-Encryption-Types attribute to be set  to  require  a
              128 bit key.  The default is ’no’.

       with_ntdomain_hack
              Windows clients send User-Name in the form of "DOMAIN\User", but
              send the challenge/response based  only  on  the  User  portion.
              Setting this value to yes, enables a work-around for this error.
              The default is ’no’.

CONFIGURATION

              modules {
                ...
                mschap {
                   authtype = MS-CHAP
                   use_mppe = yes
                }
                ...
              }
               ...
              authorize {
                ...
                mschap
                ...
              }
               ...
              authenticate {
                ...
                mschap
                ...
              }

SECTIONS

       authorization, authentication

FILES

       /etc/raddb/radiusd.conf

SEE ALSO

       radiusd(8), radiusd.conf(5)

AUTHOR

       Chris Parker, cparker@segv.org

                                 13 March 2004                   rlm_mschap(5)