Man page or keyword search:   man All Sections 1 - General Commands 2 - System Calls 3 - Subroutines, Functions 4 - Special Files 5 - File Formats 6 - Games and Screensavers 7 - Macros and Conventions 8 - Maintenence Commands 9 - Kernel Interface New Commands Server 4.4BSD AIX Alpinelinux Archlinux Aros BSDOS BSDi Bifrost CentOS Cygwin Darwin Debian DigitalUNIX DragonFly ElementaryOS Fedora FreeBSD Gentoo GhostBSD HP-UX Haiku Hurd IRIX Inferno JazzOS Kali Knoppix LinuxMint MacOSX Mageia Mandriva Manjaro Minix MirBSD NeXTSTEP NetBSD OPENSTEP OSF1 OpenBSD OpenDarwin OpenIndiana OpenMandriva OpenServer OpenSuSE OpenVMS Oracle PC-BSD Peanut Pidora Plan9 QNX Raspbian RedHat Scientific Slackware SmartOS Solaris SuSE SunOS Syllable Tru64 UNIXv7 Ubuntu Ultrix UnixWare Xenix YellowDog aLinux   44335 pages apropos Keyword Search (all sections) Output format html ascii pdf view pdf save postscript

rlm_mschap(5)		       FreeRADIUS Module		 rlm_mschap(5)

NAME
       rlm_mschap - FreeRADIUS Module

DESCRIPTION
       The  rlm_mschap	module	provides  MS-CHAP and MS-CHAPv2 authentication
       support.

       This module validates a user with MS-CHAP or MS-CHAPv2  authentication.
       If  called  in  Authorize,  it will look for MS-CHAP Challenge/Response
       attributes in the Acess-Request and adds an Auth-Type attribute set  to
       MS-CHAP in the Config-Items list unless Auth-Type has already set.

       The  module  can	 authenticate the MS-CHAP session via plain-text pass‐
       words  (User-Password  attribute),   or	 NT   passwords	  (NT-Password
       attribute).   The  module  cannot  perform authentication against an NT
       domain.

       The module also enforces the SMB-Account-Ctrl attribute.	 See the Samba
       documentation  for the meaning of SMB account control.  The module does
       not read Samba password files.  Instead, the fIrlm_passwd module can be
       used to read a Samba password file, and supply an NT-Password attribute
       which this module can use.

       The main configuration items to be aware of are:

       authtype
	      This is the string used to set the authtype.  Normally it should
	      be left to the default value of MS-CHAP.

       use_mppe
	      Unless  this  is	set to 'no', FreeRADIUS will add MS-CHAP-MPPE-
	      Keys for MS-CHAPv1 and MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-
	      CHAPv2.  The default is 'yes'.

       require_encryption
	      If  MPPE	is enabled, setting this attribute to 'yes' will cause
	      the MS-MPPE-Encryption-Policy attribute to  be  set  to  require
	      encryption.  The default is 'no'.

       require_strong
	      If  MPPE	is enabled, setting this attribute to 'yes' will cause
	      the MS-MPPE-Encryption-Types attribute to be set	to  require  a
	      128 bit key.  The default is 'no'.

       with_ntdomain_hack
	      Windows clients send User-Name in the form of "DOMAIN\User", but
	      send the challenge/response based	 only  on  the	User  portion.
	      Setting this value to yes, enables a work-around for this error.
	      The default is 'no'.

CONFIGURATION
       modules {
	 ...
	 mschap {
	    authtype = MS-CHAP
	    use_mppe = yes
	 }
	 ...
       }
	...
       authorize {
	 ...
	 mschap
	 ...
       }
	...
       authenticate {
	 ...
	 mschap
	 ...
       }

SECTIONS
       authorization, authentication

FILES
       /etc/raddb/radiusd.conf

SEE ALSO
       radiusd(8), radiusd.conf(5)

AUTHOR
       Chris Parker, cparker@segv.org

				 13 March 2004			 rlm_mschap(5)

Vote for polarhome