22 Sep
2018
22 Sep
'18
1:23 p.m.
The attached radius.log shows successful EAP-PEAP/MSCHAPv2 authentication using a Windows 10 client and Meraki access point with FreeRADIUS 3.0.17. An inner-tunnel Python script uses an API to get the NT hash and sets the NT-Password within authorize. The standard authenticate MS-CHAP module then handles. During the chatty inner-tunnel MSCHAPv2 negotiation, the get NT hash API is invoked twice in requests 7 and 8, which works, but with unnecessary script and API load. I can eliminate the second invocation in step 8 by checking the request EAP-Message for length. That feels fragile. There must be a better way to detect state to determine we're in request 8. Any recommendations? Thanks, Gary