Using Exec-Program-Wait for MOTP (mobile OTP) with MSCHAPv2
Alan DeKok
aland at deployingradius.com
Sun Feb 15 09:17:30 CET 2009
Fabiano wrote:
> Can you point me to a document or website where the following mechanism
> is described well ?
>
> ie MSCHAPv2 Radius Client -> Freeradius does the MSCHAPv2 challenge ? ->
> auth is delegated to external script receiving attributes like username
> and password in clear -> external script gives the auth ok answer ->
> Freeradius gives the auth accepted answer to the MSCHAPv2 Radius client.
MS-CHAP doesn't work this way. You CANNOT give a cleartext password
to an external script by looking at the MS-CHAP data. It is *impossible*.
> The part I don't understand is how does this MSCHAPv2 auth work in
> Freeradius, and how the external script could get the attributes when
> the MSCHAPv2 challenge password is encrypted ? Does it mean that I have
> to implement the MSCHAPv2 challenge auth by myself, entirely in the
> external script ?
No. You tell the server what the correct password is, and it does the
MS-CHAP calculations to authenticate the user.
> Concerning the cleartext password;
> In your previous message, you say : "get it from somewhere" but I can'
> figure out how...
A database? You should know what the *correct* password is, otherwise
you don't be able to authenticate the user.
Alan DeKok.
More information about the Freeradius-Users
mailing list