Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

rlm_mschap(5) [centos man page]

rlm_mschap(5)							 FreeRADIUS Module						     rlm_mschap(5)

NAME

       rlm_mschap - FreeRADIUS Module

DESCRIPTION

       The rlm_mschap module provides MS-CHAP and MS-CHAPv2 authentication support.

       This module validates a user with MS-CHAP or MS-CHAPv2 authentication.  If called in Authorize, it will look for MS-CHAP Challenge/Response
       attributes in the Acess-Request and adds an Auth-Type attribute set to MS-CHAP in the Config-Items list unless Auth-Type has already set.

       The module can authenticate the	MS-CHAP  session  via  plain-text  passwords  (User-Password  attribute),  or  NT  passwords  (NT-Password
       attribute).  The module cannot perform authentication against an NT domain.

       The  module  also enforces the SMB-Account-Ctrl attribute.  See the Samba documentation for the meaning of SMB account control.	The module
       does not read Samba password files.  Instead, the fIrlm_passwd module can be used to read a Samba password file, and supply an  NT-Password
       attribute which this module can use.

       The main configuration items to be aware of are:

       authtype
	      This is the string used to set the authtype.  Normally it should be left to the default value of MS-CHAP.

       use_mppe
	      Unless this is set to 'no', FreeRADIUS will add MS-CHAP-MPPE-Keys for MS-CHAPv1 and MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2.
	      The default is 'yes'.

       require_encryption
	      If MPPE is enabled, setting this attribute to 'yes' will cause the MS-MPPE-Encryption-Policy attribute to be set to require  encryp-
	      tion.  The default is 'no'.

       require_strong
	      If MPPE is enabled, setting this attribute to 'yes' will cause the MS-MPPE-Encryption-Types attribute to be set to require a 128 bit
	      key.  The default is 'no'.

       with_ntdomain_hack
	      Windows clients send User-Name in the form of "DOMAINUser", but send the challenge/response based only on the User  portion.   Set-
	      ting this value to yes, enables a work-around for this error.  The default is 'no'.

CONFIGURATION

       modules {
	 ...
	 mschap {
	    authtype = MS-CHAP
	    use_mppe = yes
	 }
	 ...
       }
	...
       authorize {
	 ...
	 mschap
	 ...
       }
	...
       authenticate {
	 ...
	 mschap
	 ...
       }

SECTIONS

       authorization, authentication

FILES

       /etc/raddb/radiusd.conf

SEE ALSO

       radiusd(8), radiusd.conf(5)

AUTHOR

       Chris Parker, cparker@segv.org

								   13 March 2004						     rlm_mschap(5)

Check Out this Related Man Page

rlm_counter(5)							 FreeRADIUS Module						    rlm_counter(5)

NAME

       rlm_counter - FreeRADIUS Module

DESCRIPTION

       The  rlm_counter module provides a general framework to allow access based on accumulated usage of a resource, such as total time online in
       a given period, total data transferred in a given period, etc.  This is very useful in a 'Prepaid Service' situation, where a user has paid
       for a finite amount of usage and should not be allowed to use more than that service.  Collection, monitoring, and replenishment of prepaid
       services are beyond the scope of this module.

       The main configuration items to be aware of are:

       filename
	      The filename where the usage data is stored.

       key    An attribute which will be present in the Access-Request to be used as the 'index' value for the counter. A counter entry is tracked
	      for each unique key.  The most likely key you will want to use is User-Name.

       count_attribute
	      An  attribute  which  will  be  used to increment the counter value.  If this attribute is Acct-Session-Time or an integer value the
	      counter data is incremented by the Attribute value.  For all other attribute types the counter is incremented by one.

       reset  How frequently the counter data should be set back to 0.	Valid values for this variable are: hourly, daily, weekly,  monthly,  orn-
	      ever  Alternatively, it can be user defined, in the form: num[hdwm].  num is a numeric value, followed by one or none of the follow-
	      ing letters.  h: hours, d: days, w: weeks, m: months.

       check_name
	      This defines an attribute name which will be registered by the counter module and can be used to set the maximum allowed	value  for
	      the  counter  after which the user is rejected.  If Daily-Session-Time is set, you can use the following syntax in the Users file to
	      set a cap of 3600 seconds ( 8 hours ):

       DEFAULT Max-Daily-Session := 3600

       reply_name
	      This is the name of the attribute which will contain the remaining value for the counter in the reply packet when the user  is  suc-
	      cessfully authorized. The default attribute name is "Session-Timeout".

       allowed_service_type
	      This can be used to only apply the limitations to specific service types of sessions.  For example, setting this to Framed-User will
	      only apply the counter module to Framed sessions, excluding other types such as Telnet or Rlogin.

       cache_size
	      The maximum size of the cache to be used by the module.  The default is 1000.

NOTES

       This module registers an attribute, so it should be added to the instantiate section, to be called on server startup.   When  used  in  the
       authorize section, it must come after any modules which set the 'check_name' attribute.

SECTIONS

       instantiate, authorize, accounting

FILES

       /etc/raddb/radiusd.conf

SEE ALSO

       radiusd(8), radiusd.conf(5) rlm_sqlcounter(5)

AUTHOR

       Chris Parker, cparker@segv.org

								   13 March 2004						    rlm_counter(5)
Man Page