plain-text password not get with CHAP

Herwin Weststrate herwin at quarantainenet.nl
Wed Dec 19 11:57:27 CET 2018


On 19-12-18 11:51, Imdad Hasan wrote:
> Respected All,
> 
> I using Default *Auth-Type = Accept* and *php external script* for custom
> authentication. That is working fine with only pap in PPPoE, But not
> working with CHAP, MS-CHAPv2 etc.
> 
> I found one reason was the external script not get the plain-text
> password.Usually i get password in external php script with
> *trim(getenv('USER_PASSWORD'),'"');
> *this env variable.
> 
> So, any way to get plain-text password in external script when chap is on
> in mikrotik?

No, simply because CHAP and MSCHAP don't send the plaintext password,
but hashes of the password.

If you have access to the plaintext password in PHP, you could add this
to the config list and let the chap/mschap modules take care of it (but
then it would be unlikely you really needed PHP in the first place),
otherwise you're out of luck.

See http://deployingradius.com/documents/protocols/compatibility.html
for a list of possible password hashing compatibilities.

-- 
Herwin Weststrate



More information about the Freeradius-Users mailing list