PEAP/EAP-MSCHAPv2 module modification problem
iostres at live.com
Thu May 23 15:55:43 CEST 2013
On 5/23/13 2:59 PM, Alan DeKok wrote:
> Ivan Ostres wrote:
>> I am using PEAP-EAP-MSCHAPv2 combo with freeradius. I modified
>> EAP-MSCHAPv2 rlm to use a weird password store system
> You should do that ONLY if the password store does MS-CHAP.
> Otherwise, you should write a module to pull the password from the
> store, and let FreeRADIUS do the rest.
thanks for answering - I indeed have a weird setup here - I have 2
external authentication systems:
(1) fast one acting as cache (that means it could have stale password info)
(2) slow one which always have a right password
The thing is that I need to use (1) whenever possible so I can do the
lookup in (1) while in rlm_eap and simply do
"pairmake_config("NT-Password",....). Then in eap-mschapv2 handler I
need to check whether this password is ok (I can do that by checking
response from peer and then if password appear to be wrong I need to
contact (2) to check whether password is really wrong or just (1) was
wrong. If password in (2) is correct, I need to update record in (1).
Since I don't want to open new connection to (1) and (2) for every
authentication I wanted to keep connections open in rlm_eap module
instead in eap-mschapv2 handler but somehow I need to know whether
password from (1) or (2) was eventually used to update (1) if needed -
that;s why I asked how can I propagate info from eap-mschapv2 handler
back to rlm_eap.
More information about the Freeradius-Devel