Fabiano wrote:
Can you point me to a document or website where the following mechanism is described well ?
ie MSCHAPv2 Radius Client -> Freeradius does the MSCHAPv2 challenge ? -> auth is delegated to external script receiving attributes like username and password in clear -> external script gives the auth ok answer -> Freeradius gives the auth accepted answer to the MSCHAPv2 Radius client.
MS-CHAP doesn't work this way. You CANNOT give a cleartext password to an external script by looking at the MS-CHAP data. It is *impossible*.
The part I don't understand is how does this MSCHAPv2 auth work in Freeradius, and how the external script could get the attributes when the MSCHAPv2 challenge password is encrypted ? Does it mean that I have to implement the MSCHAPv2 challenge auth by myself, entirely in the external script ?
No. You tell the server what the correct password is, and it does the MS-CHAP calculations to authenticate the user.
Concerning the cleartext password; In your previous message, you say : "get it from somewhere" but I can' figure out how...
A database? You should know what the *correct* password is, otherwise you don't be able to authenticate the user. Alan DeKok.