A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Subscribestar or Patreon

Search Irongeek.com:

Affiliates:
Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle


Man page of rlm_mschap

rlm_mschap

Section: FreeRADIUS Module (5)
Updated: 13 March 2004
Index of this MAN page

Back To MAN Pages From BackTrack 5 R1 Master List  

NAME

rlm_mschap - FreeRADIUS Module  

DESCRIPTION

The rlm_mschap module provides MS-CHAP and MS-CHAPv2 authentication support.

This module validates a user with MS-CHAP or MS-CHAPv2 authentication. If called in Authorize, it will look for MS-CHAP Challenge/Response attributes in the Acess-Request and adds an Auth-Type attribute set to MS-CHAP in the Config-Items list unless Auth-Type has already set.

The module can authenticate the MS-CHAP session via plain-text passwords (User-Password attribute), or NT passwords (NT-Password attribute). The module cannot perform authentication against an NT domain.

The module also enforces the SMB-Account-Ctrl attribute. See the Samba documentation for the meaning of SMB account control. The module does not read Samba password files. Instead, the fIrlm_passwd module can be used to read a Samba password file, and supply an NT-Password attribute which this module can use.

The main configuration items to be aware of are:

authtype
This is the string used to set the authtype. Normally it should be left to the default value of MS-CHAP.
use_mppe
Unless this is set to 'no', FreeRADIUS will add MS-CHAP-MPPE-Keys for MS-CHAPv1 and MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2. The default is 'yes'.
require_encryption
If MPPE is enabled, setting this attribute to 'yes' will cause the MS-MPPE-Encryption-Policy attribute to be set to require encryption. The default is 'no'.
require_strong
If MPPE is enabled, setting this attribute to 'yes' will cause the MS-MPPE-Encryption-Types attribute to be set to require a 128 bit key. The default is 'no'.
with_ntdomain_hack
Windows clients send User-Name in the form of "DOMAIN\User", but send the challenge/response based only on the User portion. Setting this value to yes, enables a work-around for this error. The default is 'no'.

 

CONFIGURATION


modules {
  ...

mschap {
authtype = MS-CHAP
use_mppe = yes
}
...
}
...
authorize { ...
mschap
...
} ...
authenticate { ...
mschap
...
}

 

SECTIONS

authorization, authentication

 

FILES

/etc/raddb/radiusd.conf

 

SEE ALSO

radiusd(8), radiusd.conf(5)  

AUTHOR

Chris Parker, cparker@segv.org


 

Index

NAME
DESCRIPTION
CONFIGURATION
SECTIONS
FILES
SEE ALSO
AUTHOR

This document was created by man2html, using the manual pages.
Time: 07:34:21 GMT, September 13, 2011

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast