MSCHAPv2 Module with Stripped-Username - no ActiveDirectory

Alan DeKok aland at
Sat Nov 10 20:45:16 CET 2018

On Nov 9, 2018, at 5:54 PM, Markus Maurer <lists at> wrote:
> thank you very much for the fast answer! :)
> I thought it‘s not possible to put the otp in the password-attribute, as it comes as an mschap challenge, and not in cleartext - so the server cant match the password  anymore?!

  True.  Which is why most people use PAP for OTP.

> Is it possible to modify the eap identity before its getting to the eap module?

  Sure.  But again... the MS-CHAP calculations are done on the User-Name as supplied by the end user.  Modifying things on the RADIUS server won't affect the calculations done by the end user.

> I got a similar setup working with AD, but I call the ntlm_auth with a stripped-username there, thats why it is working there.

  Why not just do the MS-CHAP calculations on the whole User-Name?  Why strip off the OTP?

  Alan DeKok.

More information about the Freeradius-Users mailing list