Sample code for external program w/ EAP?

Phil Mayers p.mayers at
Fri Jan 28 17:25:17 CET 2011

On 28/01/11 15:54, McCann, Brian wrote:
> Hi all.  I hate to be a pest…but I cannot find anything really on what
> I’m trying to do.
> My setup is a wireless AP (running OpenWRT) using WPA2 – 802.1x
> authentication, to Freeradius.
> I’m trying to use a Python program as an “external authenticator”, so I
> can check various things with the username and password in my already
> existing authentication schemes. I thought this would be easy…I was
> wrong. Through some trial and error, I’ve determined that the Python app
> needs to return “Cleartext-Password” with “some value”…that value is
> unclear to me since I’ve returned anything and it takes it.

Cleartext-Password needs to be added to the "config" items of the 
request. I haven't used rlm_python but I think that looks like this:

   reply_items = tuple()
   config_items = tuple(
     ('Cleartext-Password', 'password'),
     ('Auth-Type', 'python'),

   return (radiusd.RLM_MODULE_OK, reply_items, config_items)

Your current code is returning it in the reply items I think.

It's not clear to me that setting Auth-Type is what you want; it'll mean 
the Python module is then called for the authentication phase, which if 
you're doing EAP is probably not what you want? It should just be 
sufficient to return the cleartext-password in the config items, and let 
FreeRadius handle the auth.

More information about the Freeradius-Users mailing list