P K wrote:
My apologies. I got the protocols mixed up. But yes you all understood my question perfectly. I have been able to use TTLS/PAP which is supported by Windows>=8 out of the box because I can pass user/pass combo to my external script.For the users < Win 8, I was looking to get PEAP/MSCHAP working but as you say radius needs either the clear text password or NTLM hash. I have neither as my python script needs user/pass to validate against the external source.
As I said, it's *impossible*.
If I understand correctly, I switch to LDAP and get rid of the script all together, radius will work with both TTLS/PAP & PEAP/MSCHAP. Is this correct? I believe I have to enable ldap on the inner tunnel.
It will work if LDAP supplies the clear-text password or the NT hash to FreeRADIUS. Otherwise, it's impossible.
Now assuming I stick with the script and support TTLS/PAP only, I wanted to understand how radius distinguishes between two types of requests.
Read the debug output. The EAP supplicant *tells* the server it's using TTLS or PEAP.
I did not mention it earlier but I have another script that does MOTP in the same radius server. At the moment I use realms to distinguish between the two but I'm pretty sure there is an elegant way to let radius work it out itself.
As always, read the debug output. If you can tell the difference between the two requests, then you can write a rule to distinguish between the two requests. Alan DeKok.