rlm_mschap(5) | FreeRADIUS Module | rlm_mschap(5) |
rlm_mschap - FreeRADIUS Module
The rlm_mschap module provides MS-CHAP and MS-CHAPv2 authentication support.
This module validates a user with MS-CHAP or MS-CHAPv2 authentication. If called in Authorize, it will look for MS-CHAP Challenge/Response attributes in the Acess-Request and adds an Auth-Type attribute set to MS-CHAP in the Config-Items list unless Auth-Type has already set.
The module can authenticate the MS-CHAP session via plain-text passwords (User-Password attribute), or NT passwords (NT-Password attribute). The module cannot perform authentication against an NT domain.
The module also enforces the SMB-Account-Ctrl attribute. See the Samba documentation for the meaning of SMB account control. The module does not read Samba password files. Instead, the fIrlm_passwd module can be used to read a Samba password file, and supply an NT-Password attribute which this module can use.
The main configuration items to be aware of are:
modules {
...
mschap {
authtype = MS-CHAP
use_mppe = yes
}
...
}
...
authorize {
...
mschap
...
}
...
authenticate {
...
mschap
...
}
authorization, authentication
/etc/freeradius/3.0/radiusd.conf
Chris Parker, cparker@segv.org
13 March 2004 |