1
.TH rlm_mschap 5 "13 March 2004" "" "FreeRADIUS Module"
1
.TH rlm_mschap 5 "19 May 2006" "" "FreeRADIUS Module"
3
3
rlm_mschap \- FreeRADIUS Module
5
5
The \fIrlm_mschap\fP module provides MS-CHAP and MS-CHAPv2
6
6
authentication support.
8
This module validates a user with MS-CHAP or MS-CHAPv2
10
If called in Authorize, it will look for MS-CHAP Challenge/Response
11
attributes in the Acess-Request and adds an Auth-Type
12
attribute set to MS-CHAP in the Config-Items list unless
13
Auth-Type has already set.
8
This module validates a user with MS-CHAP or MS-CHAPv2 authentication.
9
It should be listed in both the \fIauthorize\fP and \fIauthenticate\fP
10
sections. In \fIauthorize\fP, it will look for MS-CHAP
11
Challenge/Response attributes in the Acess-Request, and configure
12
itself to be the module called for the \fIauthenticate\fP section.
15
14
The module can authenticate the MS-CHAP session via plain-text
16
15
passwords (User-Password attribute), or NT passwords (NT-Password
17
attribute). The module cannot perform authentication against an NT
16
attribute). The module can perform authentication against an NT
17
domain by using the \fIntlm_auth\fP program.
20
19
The module also enforces the SMB-Account-Ctrl attribute. See the
21
20
Samba documentation for the meaning of SMB account control. The
22
module does not read Samba password files. Instead, the fIrlm_passwd\fP
23
module can be used to read a Samba password file, and supply an
24
NT-Password attribute which this module can use.
21
module does not read Samba password files. Instead, the
22
\fIrlm_passwd\fP module should be used to read a Samba password file,
23
and to supply an NT-Password attribute which this module can use. See
24
the \fIetc_smbpasswd\fP module in \fIradiusd.conf\fP for more details.
25
.SH MODULE CONFIGURATION
26
26
The main configuration items to be aware of are:
28
This is the string used to set the authtype. Normally it should be
29
left to the default value of MS-CHAP.
31
28
Unless this is set to 'no', FreeRADIUS will add MS-CHAP-MPPE-Keys for
32
29
MS-CHAPv1 and MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2. The
43
40
Windows clients send User-Name in the form of "DOMAIN\\User", but send the
44
41
challenge/response based only on the User portion. Setting this value
45
42
to yes, enables a work-around for this error. The default is 'no'.
44
Use the \fIntlm_auth\fP program for authentication against Samba, or a
45
Windows NT or Active Directory Domain Controller. For machine
46
authentication, the following configuration should be used:
48
ntlm_auth = "/path/to/ntlm_auth --username=%{mschap:User-Name:-None} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} --domain=%{mschap:NT-Domain:-YOUR_DEFAULT_DOMAIN}
50
If configured, \fIntlm_auth\fP will always be called, even if there is
51
a clear-text or NT-Password available for the user. You can force
52
\fIntlm_auth\fP to not be used by setting
54
MS-CHAP-Use-NTLM-Auth := No
56
in the \fIusers\fP file, or in a database such as SQL.