ansible/roles/radius/files/raddb/modules/mschap

# -*- text -*-
#
#  $Id: 9e016a09a158f55bbc9b48876f0cb2b776b4cd96 $

# Microsoft CHAP authentication
#
#  This module supports MS-CHAP and MS-CHAPv2 authentication.
#  It also enforces the SMB-Account-Ctrl attribute.
#
mschap {
	#
	#  If you are using /etc/smbpasswd, see the 'passwd'
	#  module for an example of how to use /etc/smbpasswd

	# if use_mppe is not set to no mschap will
	# add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
	# MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
	#
#	use_mppe = no

	# if mppe is enabled require_encryption makes
	# encryption moderate
	#
#	require_encryption = yes

	# require_strong always requires 128 bit key
	# encryption
	#
#	require_strong = yes

	# Windows sends us a username in the form of
	# DOMAIN\user, but sends the challenge response
	# based on only the user portion.  This hack
	# corrects for that incorrect behavior.
	#
#	with_ntdomain_hack = no

	# The module can perform authentication itself, OR
	# use a Windows Domain Controller.  This configuration
	# directive tells the module to call the ntlm_auth
	# program, which will do the authentication, and return
	# the NT-Key.  Note that you MUST have "winbindd" and
	# "nmbd" running on the local machine for ntlm_auth
	# to work.  See the ntlm_auth program documentation
	# for details.
	#
	# If ntlm_auth is configured below, then the mschap
	# module will call ntlm_auth for every MS-CHAP
	# authentication request.  If there is a cleartext
	# or NT hashed password available, you can set
	# "MS-CHAP-Use-NTLM-Auth := No" in the control items,
	# and the mschap module will do the authentication itself,
	# without calling ntlm_auth.
	#
	# Be VERY careful when editing the following line!
	#
	# You can also try setting the user name as:
	#
	#	... --username=%{mschap:User-Name} ...
	#
	# In that case, the mschap module will look at the User-Name
	# attribute, and do prefix/suffix checks in order to obtain
	# the "best" user name for the request.
	#
#	ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"

	# The default is to wait 10 seconds for ntlm_auth to
	# complete.  This is a long time, and if it's taking that
	# long then you likely have other problems in your domain.
	# The length of time can be decreased with the following
	# option, which can save clients waiting if your ntlm_auth
	# usually finishes quicker. Range 1 to 10 seconds.
	#
#	ntlm_auth_timeout = 10

	# For Apple Server, when running on the same machine as
	# Open Directory.  It has no effect on other systems.
	#
#	use_open_directory = yes

	# On failure, set (or not) the MS-CHAP error code saying
	# "retries allowed".
#	allow_retry = yes

	# An optional retry message.
#	retry_msg = "Re-enter (or reset) the password"
}
Add (free)radius role. 2017-02-21 20:20:04 +01:00			`# -- text --`
			`#`
			`# $Id: 9e016a09a158f55bbc9b48876f0cb2b776b4cd96 $`

			`# Microsoft CHAP authentication`
			`#`
			`# This module supports MS-CHAP and MS-CHAPv2 authentication.`
			`# It also enforces the SMB-Account-Ctrl attribute.`
			`#`
			`mschap {`
			`#`
			`# If you are using /etc/smbpasswd, see the 'passwd'`
			`# module for an example of how to use /etc/smbpasswd`

			`# if use_mppe is not set to no mschap will`
			`# add MS-CHAP-MPPE-Keys for MS-CHAPv1 and`
			`# MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2`
			`#`
			`# use_mppe = no`

			`# if mppe is enabled require_encryption makes`
			`# encryption moderate`
			`#`
			`# require_encryption = yes`

			`# require_strong always requires 128 bit key`
			`# encryption`
			`#`
			`# require_strong = yes`

			`# Windows sends us a username in the form of`
			`# DOMAIN\user, but sends the challenge response`
			`# based on only the user portion. This hack`
			`# corrects for that incorrect behavior.`
			`#`
			`# with_ntdomain_hack = no`

			`# The module can perform authentication itself, OR`
			`# use a Windows Domain Controller. This configuration`
			`# directive tells the module to call the ntlm_auth`
			`# program, which will do the authentication, and return`
			`# the NT-Key. Note that you MUST have "winbindd" and`
			`# "nmbd" running on the local machine for ntlm_auth`
			`# to work. See the ntlm_auth program documentation`
			`# for details.`
			`#`
			`# If ntlm_auth is configured below, then the mschap`
			`# module will call ntlm_auth for every MS-CHAP`
			`# authentication request. If there is a cleartext`
			`# or NT hashed password available, you can set`
			`# "MS-CHAP-Use-NTLM-Auth := No" in the control items,`
			`# and the mschap module will do the authentication itself,`
			`# without calling ntlm_auth.`
			`#`
			`# Be VERY careful when editing the following line!`
			`#`
			`# You can also try setting the user name as:`
			`#`
			`# ... --username=%{mschap:User-Name} ...`
			`#`
			`# In that case, the mschap module will look at the User-Name`
			`# attribute, and do prefix/suffix checks in order to obtain`
			`# the "best" user name for the request.`
			`#`
			`# ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"`

			`# The default is to wait 10 seconds for ntlm_auth to`
			`# complete. This is a long time, and if it's taking that`
			`# long then you likely have other problems in your domain.`
			`# The length of time can be decreased with the following`
			`# option, which can save clients waiting if your ntlm_auth`
			`# usually finishes quicker. Range 1 to 10 seconds.`
			`#`
			`# ntlm_auth_timeout = 10`

			`# For Apple Server, when running on the same machine as`
			`# Open Directory. It has no effect on other systems.`
			`#`
			`# use_open_directory = yes`

			`# On failure, set (or not) the MS-CHAP error code saying`
			`# "retries allowed".`
			`# allow_retry = yes`

			`# An optional retry message.`
			`# retry_msg = "Re-enter (or reset) the password"`
			`}`