On Nov 9, 2018, at 5:54 PM, Markus Maurer <lists@v-net.tk> wrote:
thank you very much for the fast answer! :)
I thought it‘s not possible to put the otp in the password-attribute, as it comes as an mschap challenge, and not in cleartext - so the server cant match the password anymore?!
True. Which is why most people use PAP for OTP.
Is it possible to modify the eap identity before its getting to the eap module?
Sure. But again... the MS-CHAP calculations are done on the User-Name as supplied by the end user. Modifying things on the RADIUS server won't affect the calculations done by the end user.
I got a similar setup working with AD, but I call the ntlm_auth with a stripped-username there, thats why it is working there.
Why not just do the MS-CHAP calculations on the whole User-Name? Why strip off the OTP? Alan DeKok.