Using Exec-Program-Wait for MOTP (mobile OTP) with MSCHAPv2

Fabiano fabiano at powerpc.ch
Tue Feb 17 20:58:53 CET 2009


Alan DeKok a écrit :
> Fabiano wrote:
>   
>> Can you point me to a document or website where the following mechanism
>> is described well ?
>>
>> ie MSCHAPv2 Radius Client -> Freeradius does the MSCHAPv2 challenge ? ->
>> auth is delegated to external script receiving attributes like username
>> and password in clear -> external script gives the auth ok answer ->
>> Freeradius gives the auth accepted answer to the MSCHAPv2 Radius client.
>>     
>
>   MS-CHAP doesn't work this way.  You CANNOT give a cleartext password
> to an external script by looking at the MS-CHAP data.  It is *impossible*.
>   
Ok, thanks.
>> The part I don't understand is how does this MSCHAPv2 auth work in
>> Freeradius, and how the external script could get the attributes when
>> the MSCHAPv2 challenge password is encrypted ? Does it mean that I have
>> to implement the MSCHAPv2 challenge auth by myself, entirely in the
>> external script ?
>>     
>
>   No.  You tell the server what the correct password is, and it does the
> MS-CHAP calculations to authenticate the user.
>
>   
>> Concerning the cleartext password;
>> In your previous message, you say : "get it from somewhere" but I can'
>> figure out how...
>>     
>
>   A database?  You should know what the *correct* password is, otherwise
> you don't be able to authenticate the user.
>   
You mean, for example making the OTP script (doing exactly the contrary 
of what it actually does) write the password every 10 seconds to a 
database for every user and then let freeradius check the db ?
Is this the only way ?

Thanks again !

>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>   




More information about the Freeradius-Users mailing list