Using Exec-Program-Wait for MOTP (mobile OTP) with MSCHAPv2
Fabiano
fabiano at powerpc.ch
Tue Feb 17 20:58:53 CET 2009
Alan DeKok a écrit :
> Fabiano wrote:
>
>> Can you point me to a document or website where the following mechanism
>> is described well ?
>>
>> ie MSCHAPv2 Radius Client -> Freeradius does the MSCHAPv2 challenge ? ->
>> auth is delegated to external script receiving attributes like username
>> and password in clear -> external script gives the auth ok answer ->
>> Freeradius gives the auth accepted answer to the MSCHAPv2 Radius client.
>>
>
> MS-CHAP doesn't work this way. You CANNOT give a cleartext password
> to an external script by looking at the MS-CHAP data. It is *impossible*.
>
Ok, thanks.
>> The part I don't understand is how does this MSCHAPv2 auth work in
>> Freeradius, and how the external script could get the attributes when
>> the MSCHAPv2 challenge password is encrypted ? Does it mean that I have
>> to implement the MSCHAPv2 challenge auth by myself, entirely in the
>> external script ?
>>
>
> No. You tell the server what the correct password is, and it does the
> MS-CHAP calculations to authenticate the user.
>
>
>> Concerning the cleartext password;
>> In your previous message, you say : "get it from somewhere" but I can'
>> figure out how...
>>
>
> A database? You should know what the *correct* password is, otherwise
> you don't be able to authenticate the user.
>
You mean, for example making the OTP script (doing exactly the contrary
of what it actually does) write the password every 10 seconds to a
database for every user and then let freeradius check the db ?
Is this the only way ?
Thanks again !
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list