Perhaps you could explain why you think you need to see the NT hash.
I'm enlightened and don't think I need it anymore ;-) Here's pseudocode for my Python authorize method for the inner-tunnel: def authorize(RAD_REQUEST): nt_hash = get_user_nt_hash(user_name) config = ( ('NT-Password', nt_hash), ('Auth-Type', ':=', 'MS-CHAP'), ) result = radiusd.RLM_MODULE_OK return (result, (), config) Which is working, the user authenticates, but I see this error: (8) Found Auth-Type = MS-CHAP (8) Found Auth-Type = eap (8) ERROR: Warning: Found 2 auth-types on request for user 'testing' That doesn't seem to cause a problem, but is there something that should be done to suppress the error? Thanks, Gary On Thu, Nov 9, 2017 at 6:09 AM, Alan DeKok <aland@deployingradius.com> wrote:
On Nov 8, 2017, at 9:55 PM, Gary Gwin <garygwin@gmail.com> wrote:
What I'm really asking is how I can get access from the inner-tunnel to the NT hash?
You can't. It doesn't exist.
I don't see it passed in. Just the User-Name and EAP-Message.
If it is encrypted in the EAP-Message payload, how do I decrypt?
It's not encrypted in EAP-Message. It doesn't exist.
This is really quite simple. If FreeRADIUS decodes information from a RADIUS packet or EAP-Message, it shows that information to you. If there's no information shown... there's no information to decode.
Perhaps you could explain why you think you need to see the NT hash.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html