Using Exec-Program-Wait for MOTP (mobile OTP) with MSCHAPv2

Fabiano fabiano at
Tue Feb 17 20:58:53 CET 2009

Alan DeKok a écrit :
> Fabiano wrote:
>> Can you point me to a document or website where the following mechanism
>> is described well ?
>> ie MSCHAPv2 Radius Client -> Freeradius does the MSCHAPv2 challenge ? ->
>> auth is delegated to external script receiving attributes like username
>> and password in clear -> external script gives the auth ok answer ->
>> Freeradius gives the auth accepted answer to the MSCHAPv2 Radius client.
>   MS-CHAP doesn't work this way.  You CANNOT give a cleartext password
> to an external script by looking at the MS-CHAP data.  It is *impossible*.
Ok, thanks.
>> The part I don't understand is how does this MSCHAPv2 auth work in
>> Freeradius, and how the external script could get the attributes when
>> the MSCHAPv2 challenge password is encrypted ? Does it mean that I have
>> to implement the MSCHAPv2 challenge auth by myself, entirely in the
>> external script ?
>   No.  You tell the server what the correct password is, and it does the
> MS-CHAP calculations to authenticate the user.
>> Concerning the cleartext password;
>> In your previous message, you say : "get it from somewhere" but I can'
>> figure out how...
>   A database?  You should know what the *correct* password is, otherwise
> you don't be able to authenticate the user.
You mean, for example making the OTP script (doing exactly the contrary 
of what it actually does) write the password every 10 seconds to a 
database for every user and then let freeradius check the db ?
Is this the only way ?

Thanks again !

>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list