MS-CHAP: what password backends can be used?

Alain Fauconnet alain at
Thu May 11 06:37:09 CEST 2006

Hello readers,

I've browsed the FAQs, the mailing list archives but I have failed to
find a definite, clear answer to this: what kind of user/password
back-end can work if one is to support MS-CHAP? is anything storing
crypt or MD5 passwords (/etc/passwd+shadow, NIS, LDAP) hopeless? (I
suspect it is)

I'm setting up a VPDN server on a Cisco AS5300 for Windows clients. It
works fine if I use PAP and no encryption. If I want to use
encryption, I need MS-CHAP, right?

Right now my FreeRADIUS server is configured to use PAM. It runs on a
box that is a NIS master, as well as a LDAP server with a directory
built from NIS data using the well-known migration scripts (but
FreeRADIUS doesn't talk to LDAP now). The master source of
authentication is /etc/passwd and /etc/shadow, so passwords are in MD5

Is there any way I can get FreeRADIUS to handle MS-CHAP authentication
requests from the Cisco box in this context? (i'm kind of expecting a
big "no" here, but I want to be sure)

If I'm not using Samba or a domain controller, do I need cleartext
passwords to achieve this? where? in the "users" file only?

In radiusd.conf, the "mschap" module has parameters for a Samba
smpasswd format file or invoking ntlm_auth. If neither is set, where
does it try to get the password from? I'm confused.

Thanks for any reply, pointers etc.

More information about the Freeradius-Users mailing list