rlm_chap(5) FreeRADIUS Module rlm_chap(5)NAME
rlm_chap - FreeRADIUS Module
DESCRIPTION
The rlm_chap module provides CHAP functionality.
This module validates a user with CHAP authentication. If called in Authorize, it will look for CHAP-Password attribute in the Acess-
Request and adds an Auth-Type attribute set to CHAP if the Config-Items list unless Auth-Type has already set.
CHAP authentication requires access to the clear-text password for the user. Standard Unix system authentication or passwords encrypted
via crypt() are not compatible with CHAP.
SECTIONS
authorization, authentication
FILES
/etc/raddb/radiusd.conf
SEE ALSO radiusd(8), radiusd.conf(5)AUTHOR
Chris Parker, cparker@segv.org
3 February 2004 rlm_chap(5)
Check Out this Related Man Page
rlm_mschap(5) FreeRADIUS Module rlm_mschap(5)NAME
rlm_mschap - FreeRADIUS Module
DESCRIPTION
The rlm_mschap module provides MS-CHAP and MS-CHAPv2 authentication support.
This module validates a user with MS-CHAP or MS-CHAPv2 authentication. If called in Authorize, it will look for MS-CHAP Challenge/Response
attributes in the Acess-Request and adds an Auth-Type attribute set to MS-CHAP in the Config-Items list unless Auth-Type has already set.
The module can authenticate the MS-CHAP session via plain-text passwords (User-Password attribute), or NT passwords (NT-Password
attribute). The module cannot perform authentication against an NT domain.
The module also enforces the SMB-Account-Ctrl attribute. See the Samba documentation for the meaning of SMB account control. The module
does not read Samba password files. Instead, the fIrlm_passwd module can be used to read a Samba password file, and supply an NT-Password
attribute which this module can use.
The main configuration items to be aware of are:
authtype
This is the string used to set the authtype. Normally it should be left to the default value of MS-CHAP.
use_mppe
Unless this is set to 'no', FreeRADIUS will add MS-CHAP-MPPE-Keys for MS-CHAPv1 and MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2.
The default is 'yes'.
require_encryption
If MPPE is enabled, setting this attribute to 'yes' will cause the MS-MPPE-Encryption-Policy attribute to be set to require encryp-
tion. The default is 'no'.
require_strong
If MPPE is enabled, setting this attribute to 'yes' will cause the MS-MPPE-Encryption-Types attribute to be set to require a 128 bit
key. The default is 'no'.
with_ntdomain_hack
Windows clients send User-Name in the form of "DOMAINUser", but send the challenge/response based only on the User portion. Set-
ting this value to yes, enables a work-around for this error. The default is 'no'.
CONFIGURATION
modules {
...
mschap {
authtype = MS-CHAP
use_mppe = yes
}
...
}
...
authorize {
...
mschap
...
}
...
authenticate {
...
mschap
...
}
SECTIONS
authorization, authentication
FILES
/etc/raddb/radiusd.conf
SEE ALSO radiusd(8), radiusd.conf(5)AUTHOR
Chris Parker, cparker@segv.org
13 March 2004 rlm_mschap(5)