i tried it with the config below but the attribute Tmp-Octets-0 is always "0x". it think thats because the mschap module is disabled. but if i enable it i get no auth request from rlm_python. i guess thats because the mschap module always tries to do authentication, via ntlm_auth or via users file!? or is this a configuration issue? authenticate { Auth-Type EAP { eap } Auth-Type MS-CHAP { #mschap update request { Tmp-Octets-0 := "%{mschap:Challenge}" } otpme } Auth-Type OTPme { otpme } } i also noticed that authData includes a challange/response pair but they are different (longer) from what i get from mschap module when running otpme as ntlm_auth replacement. the request EAP-Type is set to MS-CHAP-V2. is this an encapsulated mschap request? On 2015-01-25 23:28, Alan DeKok wrote:
On Jan 25, 2015, at 3:56 PM, the2nd <the2nd@otpme.org> wrote:
I already have implemented mschap authentication im OTPme and use it from within the mschap module as a ntlm_auth replacement. But it would be great if i could also handle this in rlm_python.
OK.
If if i could get challenge and response from authData just like its done with username and password i could verify it and return the nt_key on success.
You have the challenge and response. See the ntlm_auth line:
=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}”
Just put those strings into temporary attributes.
update request { Tmp-Octets-0 := "%{mschap:Challenge}” ... }
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html