Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

rlm_realm(5) [centos man page]

rlm_realm(5)							 FreeRADIUS Module						      rlm_realm(5)

NAME

       rlm_realm - FreeRADIUS Module

DESCRIPTION

       The  rlm_realm module parses the User-Name attribute into a User section and a Realm section.  This is used primarily in a proxy situation,
       however, Realms can also be used locally to provide different service profiles based on the Realm being used.

       The main configuration items to be aware of are:

       format This can be either 'prefix' or 'suffix'.	It specifies whether the Realm is before or  after  the  User  portion	in  the  User-Name
	      string.

       delimiter
	      A single character in quotes, which is used as the delimiting character that separates the Realm and User sections of the string.

       ignore_default
	      This  is	set  to  either  'yes'	or 'no'.  If set to 'yes', this will prevent the module instance from matching a realm against the
	      DEFAULT entry.  This may be useful if you have multiple realm module instances.  The default is 'no'.

       ignore_null
	      This is set to either 'yes' or 'no'.  If set to 'yes', this will prevent the module instance from matching a realm against the  NULL
	      entry.  This may be useful if you have multiple realm module instances.  The default is 'no'.

       This  module  parses  the  realm from the User-Name attrbiute according to the instance configuration, and then performs a lookup to find a
       matching realm in the '/etc/raddb/proxy.conf' file.  Depending on the configuration of the Realm as matched in the file, the  username  may
       be  rewritten  in  a  'stripped'  format, or with the Realm portion removed.  In either case, a Realm attribute is created and added to the
       packet on a match, which can be used by other modules.

CONFIGURATION

       modules {
	 ... stuff here ...
	 # useranme@realm syntax
	 realm suffix {
	   format = suffix
	   delimiter = "@"
	 }
	  # realm/username syntax
	  realm prefix {
	   format = prefix
	   delimiter = "/"
	 }
	 ... stuff here ...
       }

SECTIONS

       authorization, pre-accounting

FILES

       /etc/raddb/radiusd.conf, /etc/raddb/proxy.conf

SEE ALSO

       radiusd(8), radiusd.conf(5), proxy.conf(5)

AUTHORS

       Chris Parker, cparker@segv.org

								   14 March 2004						      rlm_realm(5)

Check Out this Related Man Page

rlm_mschap(5)							 FreeRADIUS Module						     rlm_mschap(5)

NAME

       rlm_mschap - FreeRADIUS Module

DESCRIPTION

       The rlm_mschap module provides MS-CHAP and MS-CHAPv2 authentication support.

       This module validates a user with MS-CHAP or MS-CHAPv2 authentication.  If called in Authorize, it will look for MS-CHAP Challenge/Response
       attributes in the Acess-Request and adds an Auth-Type attribute set to MS-CHAP in the Config-Items list unless Auth-Type has already set.

       The module can authenticate the	MS-CHAP  session  via  plain-text  passwords  (User-Password  attribute),  or  NT  passwords  (NT-Password
       attribute).  The module cannot perform authentication against an NT domain.

       The  module  also enforces the SMB-Account-Ctrl attribute.  See the Samba documentation for the meaning of SMB account control.	The module
       does not read Samba password files.  Instead, the fIrlm_passwd module can be used to read a Samba password file, and supply an  NT-Password
       attribute which this module can use.

       The main configuration items to be aware of are:

       authtype
	      This is the string used to set the authtype.  Normally it should be left to the default value of MS-CHAP.

       use_mppe
	      Unless this is set to 'no', FreeRADIUS will add MS-CHAP-MPPE-Keys for MS-CHAPv1 and MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2.
	      The default is 'yes'.

       require_encryption
	      If MPPE is enabled, setting this attribute to 'yes' will cause the MS-MPPE-Encryption-Policy attribute to be set to require  encryp-
	      tion.  The default is 'no'.

       require_strong
	      If MPPE is enabled, setting this attribute to 'yes' will cause the MS-MPPE-Encryption-Types attribute to be set to require a 128 bit
	      key.  The default is 'no'.

       with_ntdomain_hack
	      Windows clients send User-Name in the form of "DOMAINUser", but send the challenge/response based only on the User  portion.   Set-
	      ting this value to yes, enables a work-around for this error.  The default is 'no'.

CONFIGURATION

       modules {
	 ...
	 mschap {
	    authtype = MS-CHAP
	    use_mppe = yes
	 }
	 ...
       }
	...
       authorize {
	 ...
	 mschap
	 ...
       }
	...
       authenticate {
	 ...
	 mschap
	 ...
       }

SECTIONS

       authorization, authentication

FILES

       /etc/raddb/radiusd.conf

SEE ALSO

       radiusd(8), radiusd.conf(5)

AUTHOR

       Chris Parker, cparker@segv.org

								   13 March 2004						     rlm_mschap(5)
Man Page