GSP
Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages


Manual Reference Pages  -  RLM_MSCHAP (5)

NAME

rlm_mschap - FreeRADIUS Module

CONTENTS

Description
Configuration
Sections
Files
Author

DESCRIPTION

The rlm_mschap module provides MS-CHAP and MS-CHAPv2 authentication support.

This module validates a user with MS-CHAP or MS-CHAPv2 authentication. If called in Authorize, it will look for MS-CHAP Challenge/Response attributes in the Acess-Request and adds an Auth-Type attribute set to MS-CHAP in the Config-Items list unless Auth-Type has already set.

The module can authenticate the MS-CHAP session via plain-text passwords (User-Password attribute), or NT passwords (NT-Password attribute). The module cannot perform authentication against an NT domain.

The module also enforces the SMB-Account-Ctrl attribute. See the Samba documentation for the meaning of SMB account control. The module does not read Samba password files. Instead, the fIrlm_passwd module can be used to read a Samba password file, and supply an NT-Password attribute which this module can use.

The main configuration items to be aware of are:
authtype This is the string used to set the authtype. Normally it should be left to the default value of MS-CHAP.
use_mppe Unless this is set to ’no’, FreeRADIUS will add MS-CHAP-MPPE-Keys for MS-CHAPv1 and MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2. The default is ’yes’.
require_encryption If MPPE is enabled, setting this attribute to ’yes’ will cause the MS-MPPE-Encryption-Policy attribute to be set to require encryption. The default is ’no’.
require_strong If MPPE is enabled, setting this attribute to ’yes’ will cause the MS-MPPE-Encryption-Types attribute to be set to require a 128 bit key. The default is ’no’.
with_ntdomain_hack Windows clients send User-Name in the form of "DOMAIN\User", but send the challenge/response based only on the User portion. Setting this value to yes, enables a work-around for this error. The default is ’no’.

CONFIGURATION


modules { ...
mschap {
        authtype = MS-CHAP
        use_mppe = yes  
}
...
}
...
authorize { ...
mschap
...
} ...
authenticate { ...
mschap
...
}

SECTIONS

authorization, authentication

FILES

/etc/raddb/radiusd.conf

SEE ALSO

radiusd(8), radiusd.conf(5)

AUTHOR

Chris Parker, cparker@segv.org

Search for    or go to Top of page |  Section 5 |  Main Index


RLM_MSCHAP (5) 13 March 2004

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.