rlm_mschap man page on YellowDog
Man page or keyword search:  
man Server   18644 pages
apropos Keyword Search (all sections)
Output format
YellowDog logo
[printable version] 
rlm_mschap(5)		       FreeRADIUS Module		 rlm_mschap(5)

NAME
       rlm_mschap - FreeRADIUS Module

DESCRIPTION
       The  rlm_mschap	module	provides  MS-CHAP and MS-CHAPv2 authentication
       support.

       This module validates a user with MS-CHAP or MS-CHAPv2  authentication.
       It  should  be  listed in both the authorize and authenticate sections.
       In authorize, it will look for MS-CHAP Challenge/Response attributes in
       the Acess-Request, and configure itself to be the module called for the
       authenticate section.

       The module can authenticate the MS-CHAP session	via  plain-text	 pass‐
       words   (User-Password	attribute),   or   NT  passwords  (NT-Password
       attribute).  The module can perform authentication against an NT domain
       by using the ntlm_auth program.

SMB Integration
       The module also enforces the SMB-Account-Ctrl attribute.	 See the Samba
       documentation for the meaning of SMB account control.  The module  does
       not  read  Samba password files.	 Instead, the rlm_passwd module should
       be used to read a Samba password file, and  to  supply  an  NT-Password
       attribute  which	 this module can use.  See the etc_smbpasswd module in
       radiusd.conf for more details.

MODULE CONFIGURATION
       The main configuration items to be aware of are:

       use_mppe
	      Unless this is set to 'no', FreeRADIUS  will  add	 MS-CHAP-MPPE-
	      Keys for MS-CHAPv1 and MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-
	      CHAPv2.  The default is 'yes'.

       require_encryption
	      If MPPE is enabled, setting this attribute to 'yes'  will	 cause
	      the  MS-MPPE-Encryption-Policy  attribute	 to  be set to require
	      encryption.  The default is 'no'.

       require_strong
	      If MPPE is enabled, setting this attribute to 'yes'  will	 cause
	      the  MS-MPPE-Encryption-Types  attribute	to be set to require a
	      128 bit key.  The default is 'no'.

       with_ntdomain_hack
	      Windows clients send User-Name in the form of "DOMAIN\User", but
	      send  the	 challenge/response  based  only  on the User portion.
	      Setting this value to yes, enables a work-around for this error.
	      The default is 'no'.

       ntlm_auth
	      Use the ntlm_auth program for authentication against Samba, or a
	      Windows NT or Active Directory Domain Controller.	  For  machine
	      authentication,  the  following  configuration  should  be used:
	      ntlm_auth	  =   "/path/to/ntlm_auth    --username=%{mschap:User-
	      Name:-None}	--challenge=%{mschap:Challenge:-00}	 --nt-
	      response=%{mschap:NT-Response:-00}	 --domain=%{mschap:NT-
	      Domain:-YOUR_DEFAULT_DOMAIN}   If	  configured,  ntlm_auth  will
	      always be called, even if there is a clear-text  or  NT-Password
	      available	 for the user.	You can force ntlm_auth to not be used
	      by setting MS-CHAP-Use-NTLM-Auth := No in the users file, or  in
	      a database such as SQL.

SECTIONS
       authorization, authentication

FILES
       /etc/raddb/radiusd.conf

SEE ALSO
       radiusd(8), radiusd.conf(5)

AUTHOR
       Chris Parker, cparker@segv.org

				  19 May 2006			 rlm_mschap(5)
[top]

List of man pages available for YellowDog

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net