On Wed, 2017-11-08 at 16:53 -0700, Gary Gwin wrote:
I've configured and tested the EAP-PEAP MSCHAPv2 basic example as documented with FreeRADIUS 3.0.12 using a Windows 10 supplicant configured for WPA2 Enterprise.
OK...
Instead of using the FreeRADIUS users file for authentication, I want to use a custom Python module in the inner-tunnel (I presume) to authenticate the user with a REST API.
Have you looked at rlm_rest? It might be a better solution. What information does the rest API give you? Or what are you expecting to send to it to check?
1) How do I know in the Python module when to get in the middle of the multi-step eap authentication without causing problems?
I don't understand what this means. If you call rlm_python in the the authenticate section of the inner- tunnel, then it'll be at the right time to do the authentication.
2) How do I get the User-Password?
You can't.
I've seen posts that suggest the User-Password might be sent encrypted in the EAP-Message. If that's the case:
3) How do I know how to decrypt the EAP-Message?
You can't get the plain text password from the EAP-Message.
4) Anything else I need to know?
You need the password in plaintext on the RADIUS server, or the NT hash of it. Nothing else will be able to authenticate MSCHAP requests. See http://deployingradius.com/documents/protocols/compatibility.html -- Matthew