A6. Configure Freeradius for MSCHAPv2 on Fedora 4 / 5 / 6
(last update: 19 May 2007)

Edit /etc/raddb/radiusd.conf to enable MSCAHP2. Open the file and locate the module section and then the mschap subsection.

modules {

        ....[snip]....

        mschap {
                authtype = MS-CHAP
                use_mppe = yes
                require_encryption = yes
                require_strong = yes
                ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
        }

        ....[snip]....

}

The mschap option in the authorize and authenticate sections is enabled by default. If they are not, enable them accordingly. Save the file.

The radius server has a secret key for security. The default key for freeradius is testing123. It is a good idea to change it for obvious security reasons. The key is in /etc/raddb/clients.conf.

client 127.0.0.1 {
        #
        #  The shared secret use to "encrypt" and "sign" packets between
        #  the NAS and FreeRADIUS.  You MUST change this secret from the
        #  default, otherwise it's not a secret any more!
        #
        #  The secret can be any string, up to 32 characters in length.
        #
        secret          = testing123 

        ....[snip]....

Note: if you change the secret key, you must modify the /etc/radiusclient/servers so that they match each other.