summaryrefslogtreecommitdiffstats
path: root/raddb/mods-available/mschap
diff options
context:
space:
mode:
Diffstat (limited to 'raddb/mods-available/mschap')
-rw-r--r--raddb/mods-available/mschap253
1 files changed, 253 insertions, 0 deletions
diff --git a/raddb/mods-available/mschap b/raddb/mods-available/mschap
new file mode 100644
index 0000000..1748d57
--- /dev/null
+++ b/raddb/mods-available/mschap
@@ -0,0 +1,253 @@
+# -*- text -*-
+#
+# $Id$
+
+#
+# Microsoft CHAP authentication
+#
+# This module supports MS-CHAP and MS-CHAPv2 authentication.
+# It also enforces the SMB-Account-Ctrl attribute.
+#
+mschap {
+ #
+ # If you are using /etc/smbpasswd, see the 'passwd'
+ # module for an example of how to use /etc/smbpasswd
+ #
+
+ #
+ # If use_mppe is not set to no mschap, will
+ # add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
+ # MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
+ #
+# use_mppe = no
+
+ #
+ # If MPPE is enabled, require_encryption makes
+ # encryption moderate
+ #
+# require_encryption = yes
+
+ #
+ # require_strong always requires 128 bit key
+ # encryption
+ #
+# require_strong = yes
+
+ #
+ # This module can perform authentication itself, OR
+ # use a Windows Domain Controller. This configuration
+ # directive tells the module to call the ntlm_auth
+ # program, which will do the authentication, and return
+ # the NT-Key. Note that you MUST have "winbindd" and
+ # "nmbd" running on the local machine for ntlm_auth
+ # to work. See the ntlm_auth program documentation
+ # for details.
+ #
+ # If ntlm_auth is configured below, then the mschap
+ # module will call ntlm_auth for every MS-CHAP
+ # authentication request. If there is a cleartext
+ # or NT hashed password available, you can set
+ # "MS-CHAP-Use-NTLM-Auth := No" in the control items,
+ # and the mschap module will do the authentication itself,
+ # without calling ntlm_auth.
+ #
+ # Be VERY careful when editing the following line!
+ #
+ # You can also try setting the user name as:
+ #
+ # ... --username=%{mschap:User-Name} ...
+ #
+ # In that case, the mschap module will look at the User-Name
+ # attribute, and do prefix/suffix checks in order to obtain
+ # the "best" user name for the request.
+ #
+ # For Samba 4, you should also set the "ntlm auth" parameter
+ # in the Samba configuration:
+ #
+ # ntlm auth = yes
+ #
+ # or
+ #
+ # ntlm auth = mschapv2-and-ntlmv2-only
+ #
+ # This will let Samba 4 accept the MS-CHAP authentication
+ # method that is needed by FreeRADIUS.
+ #
+ # Depending on the Samba version, you may also need to add:
+ #
+ # --allow-mschapv2
+ #
+ # to the command-line parameters.
+ #
+# ntlm_auth = "/path/to/ntlm_auth --request-nt-key --allow-mschapv2 --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
+
+ #
+ # The default is to wait 10 seconds for ntlm_auth to
+ # complete. This is a long time, and if it's taking that
+ # long then you likely have other problems in your domain.
+ # The length of time can be decreased with the following
+ # option, which can save clients waiting if your ntlm_auth
+ # usually finishes quicker. Range 1 to 10 seconds.
+ #
+# ntlm_auth_timeout = 10
+
+ #
+ # An alternative to using ntlm_auth is to connect to the
+ # winbind daemon directly for authentication. This option
+ # is likely to be faster and may be useful on busy systems,
+ # but is less well tested.
+ #
+ # Using this option requires libwbclient from Samba 4.2.1
+ # or later to be installed. Make sure that ntlm_auth above is
+ # commented out.
+ #
+# winbind_username = "%{mschap:User-Name}"
+# winbind_domain = "%{mschap:NT-Domain}"
+
+ #
+ # When using single sign-on with a winbind connection and the
+ # client uses a different casing for the username than the
+ # casing is according to the backend, reauth may fail because
+ # of some Windows internals. This switch tries to find the
+ # user in the correct casing in the backend, and retry
+ # authentication with that username.
+ #
+# winbind_retry_with_normalised_username = no
+
+ #
+ # Information for the winbind connection pool. The configuration
+ # items below are the same for all modules which use the new
+ # connection pool.
+ #
+ pool {
+ #
+ # Connections to create during module instantiation.
+ # If the server cannot create specified number of
+ # connections during instantiation it will exit.
+ # Set to 0 to allow the server to start without the
+ # winbind daemon being available.
+ #
+ start = ${thread[pool].start_servers}
+
+ #
+ # Minimum number of connections to keep open
+ #
+ min = ${thread[pool].min_spare_servers}
+
+ #
+ # Maximum number of connections
+ #
+ # If these connections are all in use and a new one
+ # is requested, the request will NOT get a connection.
+ #
+ # Setting 'max' to LESS than the number of threads means
+ # that some threads may starve, and you will see errors
+ # like 'No connections available and at max connection limit'
+ #
+ # Setting 'max' to MORE than the number of threads means
+ # that there are more connections than necessary.
+ #
+ max = ${thread[pool].max_servers}
+
+ #
+ # Spare connections to be left idle
+ #
+ # NOTE: Idle connections WILL be closed if "idle_timeout"
+ # is set. This should be less than or equal to "max" above.
+ #
+ spare = ${thread[pool].max_spare_servers}
+
+ #
+ # Number of uses before the connection is closed
+ #
+ # 0 means "infinite"
+ #
+ uses = 0
+
+ #
+ # The number of seconds to wait after the server tries
+ # to open a connection, and fails. During this time,
+ # no new connections will be opened.
+ #
+ retry_delay = 30
+
+ #
+ # The lifetime (in seconds) of the connection
+ #
+ # NOTE: A setting of 0 means infinite (no limit).
+ #
+ lifetime = 86400
+
+ #
+ # The pool is checked for free connections every
+ # "cleanup_interval". If there are free connections,
+ # then one of them is closed.
+ #
+ cleanup_interval = 300
+
+ #
+ # The idle timeout (in seconds). A connection which is
+ # unused for this length of time will be closed.
+ #
+ # NOTE: A setting of 0 means infinite (no timeout).
+ #
+ idle_timeout = 600
+
+ #
+ # NOTE: All configuration settings are enforced. If a
+ # connection is closed because of "idle_timeout",
+ # "uses", or "lifetime", then the total number of
+ # connections MAY fall below "min". When that
+ # happens, it will open a new connection. It will
+ # also log a WARNING message.
+ #
+ # The solution is to either lower the "min" connections,
+ # or increase lifetime/idle_timeout.
+ #
+ }
+
+ passchange {
+ #
+ # This support MS-CHAPv2 (not v1) password change
+ # requests. See doc/mschap.rst for more IMPORTANT
+ # information.
+ #
+ # Samba/ntlm_auth - if you are using ntlm_auth to
+ # validate passwords, you will need to use ntlm_auth
+ # to change passwords. Uncomment the three lines
+ # below, and change the path to ntlm_auth.
+ #
+# ntlm_auth = "/usr/bin/ntlm_auth --helper-protocol=ntlm-change-password-1"
+# ntlm_auth_username = "username: %{mschap:User-Name}"
+# ntlm_auth_domain = "nt-domain: %{mschap:NT-Domain}"
+
+ #
+ # To implement a local password change, you need to
+ # supply a string which is then expanded, so that the
+ # password can be placed somewhere. e.g. passed to a
+ # script (exec), or written to SQL (UPDATE/INSERT).
+ # We give both examples here, but only one will be
+ # used.
+ #
+# local_cpw = "%{exec:/path/to/script %{mschap:User-Name} %{MS-CHAP-New-Cleartext-Password}}"
+ #
+# local_cpw = "%{sql:UPDATE radcheck set value='%{MS-CHAP-New-NT-Password}' where username='%{SQL-User-Name}' and attribute='NT-Password'}"
+ }
+
+ #
+ # For Apple Server, when running on the same machine as
+ # Open Directory. It has no effect on other systems.
+ #
+# use_open_directory = yes
+
+ #
+ # On failure, set (or not) the MS-CHAP error code saying
+ # "retries allowed".
+ #
+# allow_retry = yes
+
+ #
+ # An optional retry message.
+ #
+# retry_msg = "Re-enter (or reset) the password"
+}