On Feb 1, 2020, at 9:41 PM, Richard Green <richard.green@unsw.edu.au> wrote:
With mschap, to avoid calling an expensive external program for both my authorize and authenticate (multiotp), it is appealing to set "MS-CHAP-Use-NTLM-Auth := No" in the control items, and the mschap module will do the authentication itself without calling ntlm_auth, however I have failed thus far to get this working: how to I make the Cleartext-Password available?
Via the "users" file, or any database.
radtest appears to send the a Cleartext-Password (actually an OTP token which has been accepted in the authorize section):
No. Cleartext-Password is an "internal" attribute that is never sent in a RADIUS packet. radtest prints out Cleartext-Password in order to show you that it's using the password. But the actual authentication method is MS-CHAP.
However the server component appears not to expose Cleartext-Password for my use. From raddebug:
The server doesn't *see* the Cleartext-Password. Because it's not in the packet.
(3) Sun Feb 2 02:19:01 2020: Debug: Received Access-Request Id 76 from 127.0.0.1:37601 to 127.0.0.1:1812 length 129 (3) Sun Feb 2 02:19:01 2020: Debug: User-Name = "bob"
Run "radiusd -X". Not "-Xx", "-Xxxx", or anything else. This recommendation is documented *everywhere*. If you want to use PAP authentication, then have radtest send a User-Password attribute. And, don't send *both* User-Password and MS-CHAP in the same packet. Alan DeKok.