1 .\" # DS - begin display
13 .TH rlm_mschap 5 "13 March 2004" "" "FreeRADIUS Module"
15 rlm_mschap \- FreeRADIUS Module
17 The \fIrlm_mschap\fP module provides MS-CHAP and MS-CHAPv2
18 authentication support.
20 This module validates a user with MS-CHAP or MS-CHAPv2
22 If called in Authorize, it will look for MS-CHAP Challenge/Response
23 attributes in the Acess-Request and adds an Auth-Type
24 attribute set to MS-CHAP in the Config-Items list unless
25 Auth-Type has already set.
27 The module can authenticate the MS-CHAP session via plain-text
28 passwords (User-Password attribute), or NT passwords (NT-Password
29 attribute). The module cannot perform authentication against an NT
32 The module also enforces the SMB-Account-Ctrl attribute. See the
33 Samba documentation for the meaning of SMB account control. The
34 module does not read Samba password files. Instead, the fIrlm_passwd\fP
35 module can be used to read a Samba password file, and supply an
36 NT-Password attribute which this module can use.
38 The main configuration items to be aware of are:
40 This is the string used to set the authtype. Normally it should be
41 left to the default value of MS-CHAP.
43 Unless this is set to 'no', FreeRADIUS will add MS-CHAP-MPPE-Keys for
44 MS-CHAPv1 and MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2. The
46 .IP require_encryption
47 If MPPE is enabled, setting this attribute to 'yes' will cause the
48 MS-MPPE-Encryption-Policy attribute to be set to require encryption.
51 If MPPE is enabled, setting this attribute to 'yes' will cause the
52 MS-MPPE-Encryption-Types attribute to be set to require a 128 bit key.
54 .IP with_ntdomain_hack
55 Windows clients send User-Name in the form of "DOMAIN\\User", but send the
56 challenge/response based only on the User portion. Setting this value
57 to yes, enables a work-around for this error. The default is 'no'.
103 .I /etc/raddb/radiusd.conf
109 Chris Parker, cparker@segv.org