robin.thoni
/
docker-radius-server
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
2 Branches
Tree: e697c55e02
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'e697c55e02'
${ noResults }
docker-radius-server/freeradius/config/modules/mschap

mschap 2.9KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687 
  1. # -*- text -*-

  2. #

  3. #  $Id: 9e016a09a158f55bbc9b48876f0cb2b776b4cd96 $

  4. 

  5. # Microsoft CHAP authentication

  6. #

  7. #  This module supports MS-CHAP and MS-CHAPv2 authentication.

  8. #  It also enforces the SMB-Account-Ctrl attribute.

  9. #

  10. mschap {

  11. 	#

  12. 	#  If you are using /etc/smbpasswd, see the 'passwd'

  13. 	#  module for an example of how to use /etc/smbpasswd

  14. 

  15. 	# if use_mppe is not set to no mschap will

  16. 	# add MS-CHAP-MPPE-Keys for MS-CHAPv1 and

  17. 	# MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2

  18. 	#

  19. 	use_mppe = yes

  20. 

  21. 	# if mppe is enabled require_encryption makes

  22. 	# encryption moderate

  23. 	#

  24. 	require_encryption = yes

  25. 

  26. 	# require_strong always requires 128 bit key

  27. 	# encryption

  28. 	#

  29. 	require_strong = yes

  30. 

  31. 	# Windows sends us a username in the form of

  32. 	# DOMAIN\user, but sends the challenge response

  33. 	# based on only the user portion.  This hack

  34. 	# corrects for that incorrect behavior.

  35. 	#

  36. #	with_ntdomain_hack = no

  37. 

  38. 	# The module can perform authentication itself, OR

  39. 	# use a Windows Domain Controller.  This configuration

  40. 	# directive tells the module to call the ntlm_auth

  41. 	# program, which will do the authentication, and return

  42. 	# the NT-Key.  Note that you MUST have "winbindd" and

  43. 	# "nmbd" running on the local machine for ntlm_auth

  44. 	# to work.  See the ntlm_auth program documentation

  45. 	# for details.

  46. 	#

  47. 	# If ntlm_auth is configured below, then the mschap

  48. 	# module will call ntlm_auth for every MS-CHAP

  49. 	# authentication request.  If there is a cleartext

  50. 	# or NT hashed password available, you can set

  51. 	# "MS-CHAP-Use-NTLM-Auth := No" in the control items,

  52. 	# and the mschap module will do the authentication itself,

  53. 	# without calling ntlm_auth.

  54. 	#

  55. 	# Be VERY careful when editing the following line!

  56. 	#

  57. 	# You can also try setting the user name as:

  58. 	#

  59. 	#	... --username=%{mschap:User-Name} ...

  60. 	#

  61. 	# In that case, the mschap module will look at the User-Name

  62. 	# attribute, and do prefix/suffix checks in order to obtain

  63. 	# the "best" user name for the request.

  64. 	#

  65. #	ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"

  66. 

  67. 	# The default is to wait 10 seconds for ntlm_auth to

  68. 	# complete.  This is a long time, and if it's taking that

  69. 	# long then you likely have other problems in your domain.

  70. 	# The length of time can be decreased with the following

  71. 	# option, which can save clients waiting if your ntlm_auth

  72. 	# usually finishes quicker. Range 1 to 10 seconds.

  73. 	#

  74. #	ntlm_auth_timeout = 10

  75. 

  76. 	# For Apple Server, when running on the same machine as

  77. 	# Open Directory.  It has no effect on other systems.

  78. 	#

  79. #	use_open_directory = yes

  80. 

  81. 	# On failure, set (or not) the MS-CHAP error code saying

  82. 	# "retries allowed".

  83. #	allow_retry = yes

  84. 

  85. 	# An optional retry message.

  86. #	retry_msg = "Re-enter (or reset) the password"

  87. }