CHAP Authentication with rlm_perl module

Alan DeKok aland at
Fri May 15 17:00:08 CEST 2020

On May 14, 2020, at 7:00 PM, Imdad Hasan <imdadalikadiwala0 at> wrote:
> i am using perl module, its working all like exec module but no doubt its
> increased the performance on high load. But i have some queries when i use
> CHAP authentication method with perl module.

  The answer is "don't do CHAP with Perl".  Instead, let FreeRADIUS do the authentication.

> In CHAP authentication i can't verify the password with Cleartext-Password,
> right?

  You can.  The CHAP module takes care of this.

> That's why i set RADCHECK attribute Cleartext-Password="password" and after
> that freeradius verify them with authenticator and all. and if password
> doesn't matched than its return Reject.

  Yes, that works.

> But if i want to accept those user ( who have wrong password ) with special
> disabled framed-ip than how can i??

  It's easy, but a little weird.  In the "authenticate" section, do:

	Auth-Type CHAP {
		chap {
			reject = 1
		if (reject) {
			update reply {
				Framed-IP-Address :=

  And that should do it.

  Then, make sure that you're not over-writing that Framed-IP-Address later.

  Alan DeKok.

More information about the Freeradius-Users mailing list