On Wed, Nov 13, 2013 at 04:22:23PM +0000, Prash K wrote:
In my set up, I use an external authentication script (written in python) which accepts user and password. I have successfully proven this set up on eapol_test with EAP-TTLS (PEAP). I perform exec in post-auth section of default. Something like this in users:
Auth-Type = Accept Exec-Program-Wait = "/path/to/myscript.py %{User-Name} %{User-Password}
I can't work out what you're doing (especially in post-auth), but this doesn't look right. With EAP-TTLS/PAP the client will send an encrypted plaintext password, which you can pass to your script to test. Windows < 8 don't support EAP-TTLS/PAP. With PEAP/MS-CHAPv2 (or EAP-TTLS/MS-CHAPv2) you won't be sent a plaintext password, which means you need either - the cleartext password; or - the NTLM hash. If you've not got access to either, what you are trying to do is impossible and you need to rethink.
This works fine with EAP-TTLS (PEAP). But as you know Windows built in supplicant defaults to CHAP. So I'm keen to get that working. I understand that freeradius needs to know the password (Cleartext-Password) but I can't set that in users file. I don't use ldap or sql modules.
If you have the cleartext password, you can easily set it in the users file. There is no need to use ldap or sql. username Cleartext-Password := 'password' Cheers, Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>