eap_mschapv2 module implements
EAP-MSCHAPv2 authentication. It is a
submodule of eap and cannot be used on its own.
In order for this module to work, the main mschap
module must also be configured. If there is no
This module decodes the
EAP-MSCHAPv2 data into
MSCHAPv2 attributes and
mschap module to perform the
Depending on the configuration of the
mschap module, the
eap_mschapv2 module may call
ntlm_auth as well. The result of the
MSCHAPv2 authentication (success / fail) is returned to the EAP
mschapv2 module, for encapsulation in
None. This is a sub-module of
eap, and cannot be used on its own.
send_error = boolean
Prior to version 2.1.11, the module never sent the
MS-CHAP-Errormessage to the supplicant. Issues arose when the cached password was incorrect. In these cases, the server should have sent MS-CHAP-Error = "E=691 R=0" to the supplicant, thus prompting the supplicant to send a message to the user requesting a new password.
The default is to maintain the earlier behavior, which has been proven to work properly. By contrast, if the default is changed to
send_error = yes, then the error message is sent back to the supplicant. These error messages may help some supplicants to work better, but they may also cause other supplicants to stop working. The exact behavior depends on the supplicant, which is out of the control of FreeRADIUS.