Thank you, using the files mod sets the password nicely, however the MS-CHAP2-Response is reported to be incorrect, sorry I could not find any more detailed docs to help me use the module's inbuilt functionality. . . . (0) } # authorize = ok (0) Found Auth-Type = mschap (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Auth-Type mschap { (0) multiotpmschap: Found Cleartext-Password, hashing to create NT-Password (0) multiotpmschap: Found Cleartext-Password, hashing to create LM-Password (0) multiotpmschap: Client is using MS-CHAPv1 with NT-Password (0) multiotpmschap: ERROR: MS-CHAP2-Response is incorrect (0) [multiotpmschap] = reject (0) } # Auth-Type mschap = reject . . . The full output from radiusd -X is at https://gist.github.com/greenaussie/13cdd90a597e46882066f01fb6492ef4 with the error report on line 780. Regards Richard ________________________________ From: Freeradius-Users <freeradius-users-bounces+richard.green=unsw.edu.au@lists.freeradius.org> on behalf of Alan DeKok <aland@deployingradius.com> Sent: Sunday, 2 February 2020 1:54 PM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Using Cleartext-Password with MS-CHAP-Use-NTLM-Auth := No On Feb 1, 2020, at 9:41 PM, Richard Green <richard.green@unsw.edu.au> wrote:
With mschap, to avoid calling an expensive external program for both my authorize and authenticate (multiotp), it is appealing to set "MS-CHAP-Use-NTLM-Auth := No" in the control items, and the mschap module will do the authentication itself without calling ntlm_auth, however I have failed thus far to get this working: how to I make the Cleartext-Password available?
Via the "users" file, or any database.
radtest appears to send the a Cleartext-Password (actually an OTP token which has been accepted in the authorize section):
No. Cleartext-Password is an "internal" attribute that is never sent in a RADIUS packet. radtest prints out Cleartext-Password in order to show you that it's using the password. But the actual authentication method is MS-CHAP.
However the server component appears not to expose Cleartext-Password for my use. From raddebug:
The server doesn't *see* the Cleartext-Password. Because it's not in the packet.
(3) Sun Feb 2 02:19:01 2020: Debug: Received Access-Request Id 76 from 127.0.0.1:37601 to 127.0.0.1:1812 length 129 (3) Sun Feb 2 02:19:01 2020: Debug: User-Name = "bob"
Run "radiusd -X". Not "-Xx", "-Xxxx", or anything else. This recommendation is documented *everywhere*. If you want to use PAP authentication, then have radtest send a User-Password attribute. And, don't send *both* User-Password and MS-CHAP in the same packet. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html