Using Exec-Program-Wait for MOTP (mobile OTP) with MSCHAPv2
fabiano at powerpc.ch
Tue Feb 17 20:58:53 CET 2009
Alan DeKok a écrit :
> Fabiano wrote:
>> Can you point me to a document or website where the following mechanism
>> is described well ?
>> ie MSCHAPv2 Radius Client -> Freeradius does the MSCHAPv2 challenge ? ->
>> auth is delegated to external script receiving attributes like username
>> and password in clear -> external script gives the auth ok answer ->
>> Freeradius gives the auth accepted answer to the MSCHAPv2 Radius client.
> MS-CHAP doesn't work this way. You CANNOT give a cleartext password
> to an external script by looking at the MS-CHAP data. It is *impossible*.
>> The part I don't understand is how does this MSCHAPv2 auth work in
>> Freeradius, and how the external script could get the attributes when
>> the MSCHAPv2 challenge password is encrypted ? Does it mean that I have
>> to implement the MSCHAPv2 challenge auth by myself, entirely in the
>> external script ?
> No. You tell the server what the correct password is, and it does the
> MS-CHAP calculations to authenticate the user.
>> Concerning the cleartext password;
>> In your previous message, you say : "get it from somewhere" but I can'
>> figure out how...
> A database? You should know what the *correct* password is, otherwise
> you don't be able to authenticate the user.
You mean, for example making the OTP script (doing exactly the contrary
of what it actually does) write the password every 10 seconds to a
database for every user and then let freeradius check the db ?
Is this the only way ?
Thanks again !
> Alan DeKok.
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users