Pass cleartext-password to exec module with EAP
Fajar A. Nugraha
list at fajar.net
Sat Mar 3 16:31:52 CET 2012
On Sat, Mar 3, 2012 at 11:22 AM, Quentin Meulepas <me at kwint.in> wrote:
> I need to use an external script to check both username and password.
> We don't have the cleartext version of these passwords, which are encrypted in a Postresql database...
> Although I'm running into troubles with the configuration files... And there's one major issue I can't seem to solve : EAP.
> I don't know how to pass the cleartext version of the entered password to the external script from the inner-tunnel of the EAP process.
If you use EAP-GTC or TTLS-PAP, you should have the cleartext password
that the user inputs inside the inner tunnel. But if you use windows
client, you need third-party supllicant to be able to use those two
authentication protocols.
If you ONLY use EAP-PEAP-MSCHAP (the one windows clients supports by
default), then it's not possible as it doesn't pass user's cleartext
password to radius.
--
Fajar
More information about the Freeradius-Users
mailing list