MS-CHAP: what password backends can be used?

Alan DeKok aland at
Thu May 11 07:53:10 CEST 2006

Alain Fauconnet <alain at> wrote:
> I've browsed the FAQs, the mailing list archives but I have failed to
> find a definite, clear answer to this: what kind of user/password
> back-end can work if one is to support MS-CHAP?

  I don't see why there was no clear answer.  The answer has been
given many, many, times, and is always the same.  MS-CHAP works with
clear-text passwords, or with NT-Passwords.  Nothing else.

> I'm setting up a VPDN server on a Cisco AS5300 for Windows clients. It
> works fine if I use PAP and no encryption. If I want to use
> encryption, I need MS-CHAP, right?

  What kind of encryption do you mean?  There are many kinds.

> Right now my FreeRADIUS server is configured to use PAM.

  Ugh.  That's not nice.  It's added complexity for no real benefit.

> The master source of authentication is /etc/passwd and /etc/shadow,
> so passwords are in MD5 format.

  MS-CHAP is impossible.

> Is there any way I can get FreeRADIUS to handle MS-CHAP authentication
> requests from the Cisco box in this context? (i'm kind of expecting a
> big "no" here, but I want to be sure)


> If I'm not using Samba or a domain controller, do I need cleartext
> passwords to achieve this? where? in the "users" file only?

  The passwords can be obtained from any database.

> In radiusd.conf, the "mschap" module has parameters for a Samba
> smpasswd format file or invoking ntlm_auth. If neither is set, where
> does it try to get the password from? I'm confused.

  The mschap module no longer supports smbpasswd files.

  The mschap module doesn't "try" to get the password.  It just does
ms-chap authentication.  Databases get the password, and add it to the
RADIUS request.  See doc/aaa.txt

  Alan DeKok.

More information about the Freeradius-Users mailing list