MS-CHAP: what password backends can be used?

Alain Fauconnet alain at
Thu May 11 09:03:29 CEST 2006

Thanks for your reply Alan,

On Thu, May 11, 2006 at 01:53:10AM -0400, Alan DeKok wrote:
> Alain Fauconnet <alain at> wrote:
> > I've browsed the FAQs, the mailing list archives but I have failed to
> > find a definite, clear answer to this: what kind of user/password
> > back-end can work if one is to support MS-CHAP?
>   I don't see why there was no clear answer.  The answer has been
> given many, many, times, and is always the same.  MS-CHAP works with
> clear-text passwords, or with NT-Passwords.  Nothing else.

Then I must have missed it. I probably have searched for the wrong
keywords... yes, I see now in the FAQ, I should have searched for
"chap" and not "ms-chap" or "mschap". Sorry.

> > I'm setting up a VPDN server on a Cisco AS5300 for Windows clients. It
> > works fine if I use PAP and no encryption. If I want to use
> > encryption, I need MS-CHAP, right?
>   What kind of encryption do you mean?  There are many kinds.

This PPTP so encryption is MPPE.
When you configure a Windows client for a VPN (PPTP)
connection, if you enable encryption and allow anything but MS-CHAP
and MS-CHAP-V2, it says that if anything else is used (such as PAP),
encryption will be disabled.

> > Right now my FreeRADIUS server is configured to use PAM.
>   Ugh.  That's not nice.  It's added complexity for no real benefit.

Well, I've inherited this installation and the Radius service is used
for a dozen different things so I have to be very careful not to break
anything. Anyway why is PAM so evil by itself? it adds a layer of
abstraction and makes it a single place to tweak things if the
authentication back-ends change. I understand that it defeats any
requirement to access the cleartext passwords, though.
> > The master source of authentication is /etc/passwd and /etc/shadow,
> > so passwords are in MD5 format.
>   MS-CHAP is impossible.

Roger that :-)

> > Is there any way I can get FreeRADIUS to handle MS-CHAP authentication
> > requests from the Cisco box in this context? (i'm kind of expecting a
> > big "no" here, but I want to be sure)
>   No.
> > If I'm not using Samba or a domain controller, do I need cleartext
> > passwords to achieve this? where? in the "users" file only?
>   The passwords can be obtained from any database.
> > In radiusd.conf, the "mschap" module has parameters for a Samba
> > smpasswd format file or invoking ntlm_auth. If neither is set, where
> > does it try to get the password from? I'm confused.
>   The mschap module no longer supports smbpasswd files.
>   The mschap module doesn't "try" to get the password.  It just does
> ms-chap authentication.  Databases get the password, and add it to the
> RADIUS request.  See doc/aaa.txt

OK, assuming I have a smbpasswd format file somewhere (not the case now), I should
configure the mschap *and* passwd modules, uncommenting out:

        #passwd etc_smbpasswd {
        #       filename = /etc/smbpasswd
        #       format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::"
        #       authtype = MS-CHAP
        #       hashsize = 100
        #       ignorenislike = no
        #       allowmultiplekeys = no

is that correct?


More information about the Freeradius-Users mailing list