rlm_mschap(5)		       FreeRADIUS Module		 rlm_mschap(5)



NAME
       rlm_mschap - FreeRADIUS Module

DESCRIPTION
       The  rlm_mschap	module	provides  MS-CHAP and MS-CHAPv2 authentication
       support.

       This module validates a user with MS-CHAP or MS-CHAPv2  authentication.
       If called in Authorize, it will look for MS-CHAP Challenge/Response at-
       tributes in the Acess-Request and adds an Auth-Type  attribute  set  to
       MS-CHAP in the Config-Items list unless Auth-Type has already set.

       The  module  can  authenticate the MS-CHAP session via plain-text pass-
       words (User-Password attribute), or NT  passwords  (NT-Password	attri-
       bute).  The module cannot perform authentication against an NT domain.

       The module also enforces the SMB-Account-Ctrl attribute.  See the Samba
       documentation for the meaning of SMB account control.  The module  does
       not read Samba password files.  Instead, the fIrlm_passwd module can be
       used to read a Samba password file, and supply an NT-Password attribute
       which this module can use.

       The main configuration items to be aware of are:

       authtype
	      This is the string used to set the authtype.  Normally it should
	      be left to the default value of MS-CHAP.

       use_mppe
	      Unless this is set to 'no', FreeRADIUS  will  add  MS-CHAP-MPPE-
	      Keys for MS-CHAPv1 and MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-
	      CHAPv2.  The default is 'yes'.

       require_encryption
	      If MPPE is enabled, setting this attribute to 'yes'  will  cause
	      the MS-MPPE-Encryption-Policy attribute to be set to require en-
	      cryption.  The default is 'no'.

       require_strong
	      If MPPE is enabled, setting this attribute to 'yes'  will  cause
	      the  MS-MPPE-Encryption-Types  attribute	to be set to require a
	      128 bit key.  The default is 'no'.

       with_ntdomain_hack
	      Windows clients send User-Name in the form of "DOMAIN\User", but
	      send  the  challenge/response  based  only  on the User portion.
	      Setting this value to yes, enables a work-around for this error.
	      The default is 'no'.

CONFIGURATION
       modules {
	 ...
	 mschap {
	    authtype = MS-CHAP
	    use_mppe = yes
	 }
	 ...
       }
	...
       authorize {
	 ...
	 mschap
	 ...
       }
	...
       authenticate {
	 ...
	 mschap
	 ...
       }

SECTIONS
       authorization, authentication

FILES
       /etc/raddb/radiusd.conf

SEE ALSO
       radiusd(8), radiusd.conf(5)

AUTHOR
       Chris Parker, cparker@segv.org




				 13 March 2004			 rlm_mschap(5)