PEAP/EAP-MSCHAPv2 module modification problem

Ivan Ostres iostres at
Thu May 23 15:55:43 CEST 2013

On 5/23/13 2:59 PM, Alan DeKok wrote:
> Ivan Ostres wrote:
>> I am using PEAP-EAP-MSCHAPv2 combo with freeradius. I modified
>> EAP-MSCHAPv2 rlm to use a weird password store system
>    You should do that ONLY if the password store does MS-CHAP.
>    Otherwise, you should write a module to pull the password from the
> store, and let FreeRADIUS do the rest.
Hi Alan,

thanks for answering - I indeed have a weird setup here - I have 2 
external authentication systems:

(1) fast one acting as cache (that means it could have stale password info)
(2) slow one which always have a right password

The thing is that I need to use (1) whenever possible so I can do the 
lookup in (1) while in rlm_eap and simply do 
"pairmake_config("NT-Password",....). Then in eap-mschapv2 handler I 
need to check whether this password is ok (I can do that by checking 
response from peer and then if password appear to be wrong I need to 
contact (2) to check whether password is really wrong or just  (1) was 
wrong. If password in (2) is correct, I need to update record in (1).

Since I don't want to open new connection to (1) and (2) for every 
authentication I wanted to keep connections open in rlm_eap module 
instead in eap-mschapv2 handler but somehow I need to know whether 
password from (1) or (2) was eventually used to update (1) if needed - 
that;s why I asked how can I propagate info from eap-mschapv2 handler 
back to rlm_eap.


More information about the Freeradius-Devel mailing list