.TH rlm_mschap 5 "19 May 2006" "" "FreeRADIUS Module"
.SH NAME
rlm_mschap \- FreeRADIUS Module
.SH DESCRIPTION
The \fIrlm_mschap\fP module provides MS-CHAP and MS-CHAPv2
authentication support.
.PP
This module validates a user with MS-CHAP or MS-CHAPv2 authentication.
It should be listed in both the \fIauthorize\fP and \fIauthenticate\fP
sections. In \fIauthorize\fP, it will look for MS-CHAP
Challenge/Response attributes in the Acess-Request, and configure
itself to be the module called for the \fIauthenticate\fP section.
.PP
The module can authenticate the MS-CHAP session via plain-text
passwords (User-Password attribute), or NT passwords (NT-Password
attribute). The module can perform authentication against an NT
domain by using the \fIntlm_auth\fP program.
.SH SMB Integration
The module also enforces the SMB-Account-Ctrl attribute. See the
Samba documentation for the meaning of SMB account control. The
module does not read Samba password files. Instead, the
\fIrlm_passwd\fP module should be used to read a Samba password file,
and to supply an NT-Password attribute which this module can use. See
the \fIetc_smbpasswd\fP module in \fIradiusd.conf\fP for more details.
.SH MODULE CONFIGURATION
The main configuration items to be aware of are:
.IP use_mppe
Unless this is set to 'no', FreeRADIUS will add MS-CHAP-MPPE-Keys for
MS-CHAPv1 and MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2. The
default is 'yes'.
.IP require_encryption
If MPPE is enabled, setting this attribute to 'yes' will cause the
MS-MPPE-Encryption-Policy attribute to be set to require encryption.
The default is 'no'.
.IP require_strong
If MPPE is enabled, setting this attribute to 'yes' will cause the
MS-MPPE-Encryption-Types attribute to be set to require a 128 bit key.
The default is 'no'.
.IP with_ntdomain_hack
Windows clients send User-Name in the form of "DOMAIN\\User", but send the
challenge/response based only on the User portion. Setting this value
to yes, enables a work-around for this error. The default is 'no'.
.IP ntlm_auth
Use the \fIntlm_auth\fP program for authentication against Samba, or a
Windows NT or Active Directory Domain Controller. For machine
authentication, the following configuration should be used:
.DS
ntlm_auth = "/path/to/ntlm_auth --username=%{mschap:User-Name:-None} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} --domain=%{mschap:NT-Domain:-YOUR_DEFAULT_DOMAIN}
.DE
If configured, \fIntlm_auth\fP will always be called, even if there is
a clear-text or NT-Password available for the user. You can force
\fIntlm_auth\fP to not be used by setting
.DS
MS-CHAP-Use-NTLM-Auth := No
.DE
in the \fIusers\fP file, or in a database such as SQL.
.PP
.SH SECTIONS
.BR authorization,
.BR authentication
.PP
.SH FILES
.I /etc/raddb/radiusd.conf
.PP
.SH "SEE ALSO"
.BR radiusd (8),
.BR radiusd.conf (5)
.SH AUTHOR
Chris Parker, cparker@segv.org