Using Exec-Program-Wait for MOTP (mobile OTP) with MSCHAPv2

Alan DeKok aland at
Sun Feb 15 09:17:30 CET 2009

Fabiano wrote:
> Can you point me to a document or website where the following mechanism
> is described well ?
> ie MSCHAPv2 Radius Client -> Freeradius does the MSCHAPv2 challenge ? ->
> auth is delegated to external script receiving attributes like username
> and password in clear -> external script gives the auth ok answer ->
> Freeradius gives the auth accepted answer to the MSCHAPv2 Radius client.

  MS-CHAP doesn't work this way.  You CANNOT give a cleartext password
to an external script by looking at the MS-CHAP data.  It is *impossible*.

> The part I don't understand is how does this MSCHAPv2 auth work in
> Freeradius, and how the external script could get the attributes when
> the MSCHAPv2 challenge password is encrypted ? Does it mean that I have
> to implement the MSCHAPv2 challenge auth by myself, entirely in the
> external script ?

  No.  You tell the server what the correct password is, and it does the
MS-CHAP calculations to authenticate the user.

> Concerning the cleartext password;
> In your previous message, you say : "get it from somewhere" but I can'
> figure out how...

  A database?  You should know what the *correct* password is, otherwise
you don't be able to authenticate the user.

  Alan DeKok.

More information about the Freeradius-Users mailing list