Using Exec-Program-Wait for MOTP (mobile OTP) with MSCHAPv2

Fabiano fabiano at
Sat Feb 14 22:53:05 CET 2009


Thanks for your answer.
Can you point me to a document or website where the following mechanism 
is described well ?

ie MSCHAPv2 Radius Client -> Freeradius does the MSCHAPv2 challenge ? -> 
auth is delegated to external script receiving attributes like username 
and password in clear -> external script gives the auth ok answer -> 
Freeradius gives the auth accepted answer to the MSCHAPv2 Radius client.

The part I don't understand is how does this MSCHAPv2 auth work in 
Freeradius, and how the external script could get the attributes when 
the MSCHAPv2 challenge password is encrypted ? Does it mean that I have 
to implement the MSCHAPv2 challenge auth by myself, entirely in the 
external script ?

Concerning the cleartext password;
In your previous message, you say : "get it from somewhere" but I can' 
figure out how...

Thanks a lot

Best regards


Alan DeKok wrote :
> Fabiano wrote:
>> Hello,
>> Does anyone know where I can find some information on how to use the
>> following in freeradius ?
>> I have an external shell script which awaits arguments (username, clear
>> password, and other arguments) and returns an answer for validation.
>> The problem is that I cannot find any lead on how to do this while using
>> MSCHAPv2...
> $ man unlang
>   Then, run the script in the post-auth section.
>> And I am not sure how to do this with Exec-Program-Wait.
>> Is this possible without rewriting the module in C ?
>> Is there any way to have the cleartext password sent to the external
>> script ?
>   Sure.  Get it from somewhere, and then send it to the script.
>   Alan DeKok.
> -

More information about the Freeradius-Users mailing list