MSCHAPv2 Module with Stripped-Username - no ActiveDirectory
aland at deployingradius.com
Sat Nov 10 20:45:16 CET 2018
On Nov 9, 2018, at 5:54 PM, Markus Maurer <lists at v-net.tk> wrote:
> thank you very much for the fast answer! :)
> I thought it‘s not possible to put the otp in the password-attribute, as it comes as an mschap challenge, and not in cleartext - so the server cant match the password anymore?!
True. Which is why most people use PAP for OTP.
> Is it possible to modify the eap identity before its getting to the eap module?
Sure. But again... the MS-CHAP calculations are done on the User-Name as supplied by the end user. Modifying things on the RADIUS server won't affect the calculations done by the end user.
> I got a similar setup working with AD, but I call the ntlm_auth with a stripped-username there, thats why it is working there.
Why not just do the MS-CHAP calculations on the whole User-Name? Why strip off the OTP?
More information about the Freeradius-Users