rlm_mschap(5) FreeRADIUS Module rlm_mschap(5)NAMErlm_mschap - FreeRADIUS Module
DESCRIPTION
The rlm_mschap module provides MS-CHAP and MS-CHAPv2 authentication
support.
This module validates a user with MS-CHAP or MS-CHAPv2 authentication.
It should be listed in both the authorize and authenticate sections.
In authorize, it will look for MS-CHAP Challenge/Response attributes in
the Acess-Request, and configure itself to be the module called for the
authenticate section.
The module can authenticate the MS-CHAP session via plain-text pass‐
words (User-Password attribute), or NT passwords (NT-Password
attribute). The module can perform authentication against an NT domain
by using the ntlm_auth program.
SMB Integration
The module also enforces the SMB-Account-Ctrl attribute. See the Samba
documentation for the meaning of SMB account control. The module does
not read Samba password files. Instead, the rlm_passwd module should
be used to read a Samba password file, and to supply an NT-Password
attribute which this module can use. See the etc_smbpasswd module in
radiusd.conf for more details.
MODULE CONFIGURATION
The main configuration items to be aware of are:
use_mppe
Unless this is set to 'no', FreeRADIUS will add MS-CHAP-MPPE-
Keys for MS-CHAPv1 and MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-
CHAPv2. The default is 'yes'.
require_encryption
If MPPE is enabled, setting this attribute to 'yes' will cause
the MS-MPPE-Encryption-Policy attribute to be set to require
encryption. The default is 'no'.
require_strong
If MPPE is enabled, setting this attribute to 'yes' will cause
the MS-MPPE-Encryption-Types attribute to be set to require a
128 bit key. The default is 'no'.
with_ntdomain_hack
Windows clients send User-Name in the form of "DOMAIN\User", but
send the challenge/response based only on the User portion.
Setting this value to yes, enables a work-around for this error.
The default is 'no'.
ntlm_auth
Use the ntlm_auth program for authentication against Samba, or a
Windows NT or Active Directory Domain Controller. For machine
authentication, the following configuration should be used:
ntlm_auth = "/path/to/ntlm_auth --username=%{mschap:User-
Name:-None} --challenge=%{mschap:Challenge:-00} --nt-
response=%{mschap:NT-Response:-00} --domain=%{mschap:NT-
Domain:-YOUR_DEFAULT_DOMAIN} If configured, ntlm_auth will
always be called, even if there is a clear-text or NT-Password
available for the user. You can force ntlm_auth to not be used
by setting MS-CHAP-Use-NTLM-Auth := No in the users file, or in
a database such as SQL.
SECTIONS
authorization, authentication
FILES
/etc/raddb/radiusd.conf
SEE ALSOradiusd(8), radiusd.conf(5)AUTHOR
Chris Parker, cparker@segv.org
19 May 2006 rlm_mschap(5)