MS-CHAP: what password backends can be used?
alain at ait.ac.th
Thu May 11 06:37:09 CEST 2006
I've browsed the FAQs, the mailing list archives but I have failed to
find a definite, clear answer to this: what kind of user/password
back-end can work if one is to support MS-CHAP? is anything storing
crypt or MD5 passwords (/etc/passwd+shadow, NIS, LDAP) hopeless? (I
suspect it is)
I'm setting up a VPDN server on a Cisco AS5300 for Windows clients. It
works fine if I use PAP and no encryption. If I want to use
encryption, I need MS-CHAP, right?
Right now my FreeRADIUS server is configured to use PAM. It runs on a
box that is a NIS master, as well as a LDAP server with a directory
built from NIS data using the well-known migration scripts (but
FreeRADIUS doesn't talk to LDAP now). The master source of
authentication is /etc/passwd and /etc/shadow, so passwords are in MD5
Is there any way I can get FreeRADIUS to handle MS-CHAP authentication
requests from the Cisco box in this context? (i'm kind of expecting a
big "no" here, but I want to be sure)
If I'm not using Samba or a domain controller, do I need cleartext
passwords to achieve this? where? in the "users" file only?
In radiusd.conf, the "mschap" module has parameters for a Samba
smpasswd format file or invoking ntlm_auth. If neither is set, where
does it try to get the password from? I'm confused.
Thanks for any reply, pointers etc.
More information about the Freeradius-Users