1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
|
.\" # DS - begin display
.de DS
.RS
.nf
.sp
..
.\" # DE - end display
.de DE
.fi
.RE
.sp
..
.TH rlm_mschap 5 "13 March 2004" "" "FreeRADIUS Module"
.SH NAME
rlm_mschap \- FreeRADIUS Module
.SH DESCRIPTION
The \fIrlm_mschap\fP module provides MS-CHAP and MS-CHAPv2
authentication support.
.PP
This module validates a user with MS-CHAP or MS-CHAPv2
authentication.
If called in Authorize, it will look for MS-CHAP Challenge/Response
attributes in the Acess-Request and adds an Auth-Type
attribute set to MS-CHAP in the Config-Items list unless
Auth-Type has already set.
.PP
The module can authenticate the MS-CHAP session via plain-text
passwords (User-Password attribute), or NT passwords (NT-Password
attribute). The module cannot perform authentication against an NT
domain.
.PP
The module also enforces the SMB-Account-Ctrl attribute. See the
Samba documentation for the meaning of SMB account control. The
module does not read Samba password files. Instead, the fIrlm_passwd\fP
module can be used to read a Samba password file, and supply an
NT-Password attribute which this module can use.
.PP
The main configuration items to be aware of are:
.IP authtype
This is the string used to set the authtype. Normally it should be
left to the default value of MS-CHAP.
.IP use_mppe
Unless this is set to 'no', FreeRADIUS will add MS-CHAP-MPPE-Keys for
MS-CHAPv1 and MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2. The
default is 'yes'.
.IP require_encryption
If MPPE is enabled, setting this attribute to 'yes' will cause the
MS-MPPE-Encryption-Policy attribute to be set to require encryption.
The default is 'no'.
.IP require_strong
If MPPE is enabled, setting this attribute to 'yes' will cause the
MS-MPPE-Encryption-Types attribute to be set to require a 128 bit key.
The default is 'no'.
.IP with_ntdomain_hack
Windows clients send User-Name in the form of "DOMAIN\\User", but send the
challenge/response based only on the User portion. Setting this value
to yes, enables a work-around for this error. The default is 'no'.
.PP
.SH CONFIGURATION
.DS
modules {
...
.br
mschap {
.br
authtype = MS-CHAP
.br
use_mppe = yes
.br
}
.br
...
.br
}
.br
...
.br
authorize {
...
.br
mschap
.br
...
.br
}
...
.br
authenticate {
...
.br
mschap
.br
...
.br
}
.DE
.PP
.SH SECTIONS
.BR authorization,
.BR authentication
.PP
.SH FILES
.I /etc/raddb/radiusd.conf
.PP
.SH "SEE ALSO"
.BR radiusd (8),
.BR radiusd.conf (5)
.SH AUTHOR
Chris Parker, cparker@segv.org
|