Using Exec-Program-Wait for MOTP (mobile OTP) with MSCHAPv2

Fabiano fabiano at
Tue Feb 17 22:08:45 CET 2009

Alan DeKok a écrit :
> Fabiano wrote:
>>>   A database?  You should know what the *correct* password is, otherwise
>>> you don't be able to authenticate the user.
>> You mean, for example making the OTP script (doing exactly the contrary
>> of what it actually does) write the password every 10 seconds to a
>> database for every user and then let freeradius check the db ?
>> Is this the only way ?
>   It would help if you described what you are trying to do, and why.

I am using a firewall (, based on FreeBSD) which has a PPTP 
server accepting only MSCHAPv2 auth.
This PPTP server uses an internal database with flatfiles for 
authenticating VPN users but also offers auth through an external radius 
I thought that I could use the project to make mobile 
clients (using cell phones qnd the j2me applet) authenticate with this 
The MOTP project offers a shellscript named which waits some 
arguments to verify the client (Username, OTP, Init-Secret, PIN, Time 
Username and OTP are given by the VPN client
Init-Secret, PIN and Time Offset are specified in the radius users file.
Normally, this is done using xtradius, executing the script as external 
application and giving the arguments to it.
The script answers ACCEPT or FAIL for final auth.

That's it.

I'm stuck here, having MSCHAPv2 clients and an auth script not useable 
with MSCHAPv2 auth.
I have also tried this with the supplied PAM motp module, but as you 
said this is not possible.
I had successful auths using radtest, but that's all... ;)

I think that what I will try is rewrite the script in perl to generate 
the passwords every x seconds to a database and then make freeradius 
auth against the db entries.

Do you think this is the best way ?

Thanks again.
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list