rlm_eap_mschapv2

Synopsis

The eap_mschapv2 module implements EAP-MSCHAPv2 authentication. It is a submodule of eap and cannot be used on its own.

Note
In order for this module to work, the main mschap module must also be configured. If there is no mschap listed in the authenticate section, then this module will not be able to authenticate users.

This module is the Microsoft implementation of MS-CHAPv2 in EAP. There is another (incompatible) implementation of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not currently support.

This module decodes the EAP-MSCHAPv2 data into MSCHAPv2 attributes and calls the mschap module to perform the MSCHAPv2 calculations. Depending on the configuration of the mschap module, the eap_mschapv2 module may call ntlm_auth as well. The result of the MSCHAPv2 authentication (success / fail) is returned to the EAP mschapv2 module, for encapsulation in EAP.

Processing Sections

None. This is a sub-module of eap, and cannot be used on its own.

Expansions

None.

Directives

send_error
Syntax

send_error = boolean

Default

no

Description

Prior to version 2.1.11, the module never sent the MS-CHAP-Error message to the supplicant. Issues arose when the cached password was incorrect. In these cases, the server should have sent MS-CHAP-Error = "E=691 R=0" to the supplicant, thus prompting the supplicant to send a message to the user requesting a new password.

The default is to maintain the earlier behavior, which has been proven to work properly. By contrast, if the default is changed to send_error = yes, then the error message is sent back to the supplicant. These error messages may help some supplicants to work better, but they may also cause other supplicants to stop working. The exact behavior depends on the supplicant, which is out of the control of FreeRADIUS.