This document is a Mac OS X manual page. Manual pages are a command-line technology for providing documentation. You can view these manual pages locally using the man(1) command. These manual pages come from many different sources, and thus, have a variety of writing styles.

This manual page is associated with Mac OS X Server. It is not available on standard Mac OS X (client) installations.

For more information about the manual page format, see the manual page for manpages(5).

rlm_mschap(5)                                 FreeRADIUS Module                                rlm_mschap(5)



NAME
       rlm_mschap - FreeRADIUS Module

DESCRIPTION
       The rlm_mschap module provides MS-CHAP and MS-CHAPv2 authentication support.

       This  module  validates a user with MS-CHAP or MS-CHAPv2 authentication.  It should be listed in both
       the authorize and authenticate sections.  In authorize, it will look for  MS-CHAP  Challenge/Response
       attributes  in  the  Acess-Request, and configure itself to be the module called for the authenticate
       section.

       The module can authenticate the MS-CHAP session via plain-text passwords  (User-Password  attribute),
       or  NT passwords (NT-Password attribute).  The module can perform authentication against an NT domain
       by using the ntlm_auth program.

SMB Integration
       The module also enforces the SMB-Account-Ctrl attribute.  See the Samba documentation for the meaning
       of SMB account control.  The module does not read Samba password files.  Instead, the rlm_passwd mod-ule module
       ule should be used to read a Samba password file, and to supply an NT-Password attribute  which  this
       module can use.  See the etc_smbpasswd module in radiusd.conf for more details.

MODULE CONFIGURATION
       The main configuration items to be aware of are:

       use_mppe
              Unless  this  is set to 'no', FreeRADIUS will add MS-CHAP-MPPE-Keys for MS-CHAPv1 and MS-MPPE-Recv-Key/MS-MPPE-Send-Key MS-MPPERecv-Key/MS-MPPE-Send-Key
              Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2.  The default is 'yes'.

       require_encryption
              If MPPE is enabled, setting this attribute to 'yes' will cause  the  MS-MPPE-Encryption-Policy
              attribute to be set to require encryption.  The default is 'no'.

       require_strong
              If  MPPE  is  enabled, setting this attribute to 'yes' will cause the MS-MPPE-Encryption-Types
              attribute to be set to require a 128 bit key.  The default is 'no'.

       with_ntdomain_hack
              Windows clients send User-Name in the form of "DOMAIN\User", but send  the  challenge/response
              based  only  on  the  User portion.  Setting this value to yes, enables a work-around for this
              error.  The default is 'no'.

       ntlm_auth
              Use the ntlm_auth program for authentication against Samba, or a Windows NT or  Active  Direc-tory Directory
              tory  Domain  Controller.   For  machine authentication, the following configuration should be
              used:   ntlm_auth   =   "/path/to/ntlm_auth    --username=%{mschap:User-Name:-None}    --chal-lenge=%{mschap:Challenge:-00} --challenge=%{mschap:Challenge:-00}
              lenge=%{mschap:Challenge:-00}   --nt-response=%{mschap:NT-Response:-00}  --domain=%{mschap:NT-Domain:-YOUR_DEFAULT_DOMAIN} --domain=%{mschap:NTDomain:-YOUR_DEFAULT_DOMAIN}
              Domain:-YOUR_DEFAULT_DOMAIN} If configured, ntlm_auth will always be called, even if there  is
              a clear-text or NT-Password available for the user.  You can force ntlm_auth to not be used by
              setting MS-CHAP-Use-NTLM-Auth := No in the users file, or in a database such as SQL.


SECTIONS
       authorization, authentication


FILES
       /etc/raddb/radiusd.conf


SEE ALSO
       radiusd(8), radiusd.conf(5)

AUTHOR
       Chris Parker, cparker@segv.org




                                                 19 May 2006                                   rlm_mschap(5)