On 2015-01-26 23:24, Alan DeKok wrote:
On Jan 26, 2015, at 5:13 PM, the2nd@otpme.org wrote:
The MSCHAP module does MSCHAP authentication. That’s why it exists.
but i guess it does something more than just authentication
Yes. You need to READ the file raddb/sites-available/default. Look for “mschap”.
because i can pass the mschap challenge and the nt-response to my script when configuring the mschap module like this:
ntlm_auth = "/usr/local/bin/otpme-auth -l verify_ntlm '%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}' '%{%{mschap:Challenge}:-00}' '%{%{mschap:NT-Response}:-00}' '%{NAS-Identifier}' '%{Client-IP-Address}'”
Yes, you already said that.
but from inside the rlm_python module i cannot access this two attributes.
Yes, you already said that.
This is getting annoying.
that was not my intention. i just wanted to be precise....
it would be great to have access to them from within rlm_python....
I told you what to do to fix it.
Are you going to:
a) ignore my instructions, and keep failing to get it to work?
b) follow my instructions and fix the problem?
i tried to follow your instructions but it does not work. this may be my fault but i dont know whats wrong with my configuration. you said i should add something like this to my config: update request { Tmp-Octets-0 := "%{mschap:Challenge}" Tmp-Octets-1 := "%{mschap:NT-Response}" } so i've added this to the authenticate section. then the attribute is accessible from within rlm_python but it contains just "0x". after re-reading sites-available/default i tried to add mschap to the authorize section. now authData looks like this: (('EAP-Message', '0x020600441a0206003f318c929437cfcc7e34d38695dba333a3480000000000000000293469b08f92cfe6256368b2dfc387040bca8dfb793b7c1400746573747573657231'), ('FreeRADIUS-Proxied-To', '127.0.0.1'), ('User-Name', '"testuser1"'), ('State', '0xe5d8e91ee5def3de4aba84c7d7c8b566'), ('NAS-IP-Address', '127.0.0.1'), ('Calling-Station-Id', '"02-00-00-00-00-01"'), ('Framed-MTU', '1400'), ('NAS-Port-Type', 'Wireless-802.11'), ('Connect-Info', '"CONNECT 11Mbps 802.11b"'), ('EAP-Type', 'MS-CHAP-V2'), ('MS-CHAP-Challenge', '0x4ae7d63d38abad6a5e5cd90fc6e56420'), ('MS-CHAP2-Response', '0x06658c929437cfcc7e34d38695dba333a3480000000000000000293469b08f92cfe6256368b2dfc387040bca8dfb793b7c14'), ('MS-CHAP-User-Name', '"testuser1"'), ('Tmp-Octets-0', '0x61656661316130333862306364383438'), ('Tmp-Octets-1', '0x323933343639623038663932636665363235363336386232646663333837303430626361386466623739336237633134')) so there is some data in Tmp-Octets-0 and Tmp-Octets-1 now. but this values are longer than whats normally in %{mschap:Challenge} and %{mschap:NT-Response}. the challenge i get from mschap module when called as an ntlm_auth replacement is 16 character long. and the response is 48 chars long. thanks a lot for any hint in the right direction....
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html