<div dir="ltr"><div><div>My apologies. I got the protocols mixed up. But yes you all understood my question perfectly. I have been able to use TTLS/PAP which is supported by Windows>=8 out of the box because I can pass user/pass combo to my external script.For the users < Win 8, I was looking to get PEAP/MSCHAP working but as you say radius needs either the clear text password or NTLM hash. I have neither as my python script needs user/pass to validate against the external source.<br>
</div><br></div>If I understand correctly, I switch to LDAP and get rid of the script all together, radius will work with both TTLS/PAP &<br><div><div>PEAP/MSCHAP. Is this correct? I believe I have to enable ldap on the inner tunnel. <br>
<br><br></div><div>Now assuming I stick with the script and support TTLS/PAP only, I wanted to understand how radius distinguishes between two types of requests. I did not mention it earlier but I have another script that does MOTP in the same radius server. At the moment I use realms to distinguish between the two but I'm pretty sure there is an elegant way to let radius work it out itself. My users file contains something like this<br>
<br><pre><code class="">DEFAULT Suffix == "@8021x",</code><code> </code>Auth-Type = Accept<br> Exec-Program-Wait = "/path/to/my8021xscript.py %{Stripped-User-Name} %{User-Password}<br></pre></div>
<div><br><pre><code class="">DEFAULT Suffix == "@motp",</code><code> </code>Auth-Type = Accept<br> Exec-Program-Wait = "/path/to/mymotpscript.py %{Stripped-User-Name} %{User-Password}<br></pre><br>
</div><div>I have defined these two realms in proxy.conf. <br><br></div><div>Many Thanks.<br></div><div><br></div><div><br><br><br><br><br></div></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On 13 November 2013 17:07, Alan DeKok <span dir="ltr"><<a href="mailto:aland@deployingradius.com" target="_blank">aland@deployingradius.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">Prash K wrote:<br>
> I have searched high and low but I could not find answer to my problem.<br>
> It may be a very simple problem for the expert users out here. Basically<br>
> I'm using radius server to perform 802.1x authentication.<br>
<br>
</div> Which should be easy.<br>
<div class="im"><br>
> In my set up, I use an external authentication script (written in<br>
> python) which accepts user and password.<br>
<br>
</div> Which won't work<br>
<div class="im"><br>
> I have successfully proven this<br>
> set up on eapol_test with EAP-TTLS (PEAP).<br>
<br>
</div> I think you mean TTLS / PAP. PEAP is very different.<br>
<div class="im"><br>
> I perform exec in post-auth<br>
> section of default. Something like this in users:<br>
><br>
> Auth-Type = Accept<br>
> Exec-Program-Wait = "/path/to/myscript.py %{User-Name}<br>
> %{User-Password}<br>
><br>
> This works fine with EAP-TTLS (PEAP). But as you know Windows built in<br>
> supplicant defaults to CHAP.<br>
<br>
</div> No. It defaults to PEAP / MSCHAP.<br>
<br>
PLEASE use the right terminology. It matters a LOT.<br>
<div class="im"><br>
> So I'm keen to get that working. I<br>
> understand that freeradius needs to know the password<br>
> (Cleartext-Password) but I can't set that in users file. I don't use<br>
> ldap or sql modules.<br>
<br>
</div> You will need to use LDAP or SQL. Sorry.<br>
<div class="im"><br>
> I can amend my script to print the password once it has authenticated<br>
> against the external source. But how do I call my script and set the<br>
> Cleartext-Password (using the script output) so that CHAP could be<br>
> performed?<br>
<br>
</div> You can't. It's impossible.<br>
<span class="HOEnZb"><font color="#888888"><br>
Alan DeKok.<br>
</font></span><div class="HOEnZb"><div class="h5">-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
</div></div></blockquote></div><br></div>