Alan DeKok a écrit :
Fabiano wrote:
Can you point me to a document or website where the following mechanism is described well ?
ie MSCHAPv2 Radius Client -> Freeradius does the MSCHAPv2 challenge ? -> auth is delegated to external script receiving attributes like username and password in clear -> external script gives the auth ok answer -> Freeradius gives the auth accepted answer to the MSCHAPv2 Radius client.
MS-CHAP doesn't work this way. You CANNOT give a cleartext password to an external script by looking at the MS-CHAP data. It is *impossible*.
Ok, thanks.
The part I don't understand is how does this MSCHAPv2 auth work in Freeradius, and how the external script could get the attributes when the MSCHAPv2 challenge password is encrypted ? Does it mean that I have to implement the MSCHAPv2 challenge auth by myself, entirely in the external script ?
No. You tell the server what the correct password is, and it does the MS-CHAP calculations to authenticate the user.
Concerning the cleartext password; In your previous message, you say : "get it from somewhere" but I can' figure out how...
A database? You should know what the *correct* password is, otherwise you don't be able to authenticate the user.
You mean, for example making the OTP script (doing exactly the contrary of what it actually does) write the password every 10 seconds to a database for every user and then let freeradius check the db ? Is this the only way ? Thanks again !
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html