+++ /dev/null
-#
-# TACACS+ policies which make everything better.
-#
-
-tacacs_set_authentication_status {
- if (ok) {
- &reply.Authentication-Status = Pass
- } else {
- &reply.Authentication-Status = Fail
- }
-}
-
-tacacs_mschap {
- subrequest RADIUS.Access-Request {
- &request.User-Name := &parent.request.User-Name
-
- &control.Password.Cleartext := &parent.control.Password.Cleartext
-
- #
- # There's always a challenge
- #
- &request.Vendor-Specific.Microsoft.CHAP-Challenge := &parent.request.MS-CHAP-Challenge
-
- #
- # One of these two assignments will fail. Using "+="
- # is simpler than checking for it via "if" and then using ":="
- #
- &request.Vendor-Specific.Microsoft.CHAP-Response := &parent.request.MS-CHAP-Response
- &request.Vendor-Specific.Microsoft.CHAP2-Response := &parent.request.MS-CHAP2-Response
-
- mschap.authenticate
- }
-
- tacacs_set_authentication_status
-}
chap
}
+ #
+ # [NOTE]
+ # =====
+ # In order to use MSCHAP / MSCHAPv2 with TACACS, the instance of
+ # `rlm_mschap` being called must be configured correctly.
+ # The default configuration referrs to the attributes relevant to
+ # RADIUS. The attributes have different names in TACACS.
+ #
+ # If both RADIUS and TACACS virtual servers are defined and both
+ # are using `rlm_mschap`, then two instances of the module will
+ # need to be configured, one for each protocol.
+ #
+ # See the `mschap` module for more details.
+ #
authenticate MSCHAP {
- tacacs_mschap
+ mschap
}
authenticate MSCHAPv2 {
- tacacs_mschap
+ mschap
}
#
# the next packet (if the client provides it)
#
authenticate ASCII {
- tacacs_pap
+ pap
}
#
projects / thirdparty / freeradius-server.git / commitdiff
