CHAP, Cleartext-Password and External Script

Matthew Newton mcn4 at
Wed Nov 13 18:02:12 CET 2013

On Wed, Nov 13, 2013 at 04:22:23PM +0000, Prash K wrote:
> In my set up, I use an external authentication script (written in python)
> which accepts user and password. I have successfully proven this set up on
> eapol_test with EAP-TTLS (PEAP). I perform exec in post-auth section of
> default. Something like this in users:
> Auth-Type = Accept
>         Exec-Program-Wait = "/path/to/  %{User-Name}
> %{User-Password}

I can't work out what you're doing (especially in post-auth), but
this doesn't look right.

With EAP-TTLS/PAP the client will send an encrypted plaintext
password, which you can pass to your script to test. Windows < 8
don't support EAP-TTLS/PAP.

With PEAP/MS-CHAPv2 (or EAP-TTLS/MS-CHAPv2) you won't be sent a
plaintext password, which means you need either

  - the cleartext password; or
  - the NTLM hash.

If you've not got access to either, what you are trying to do is
impossible and you need to rethink.

> This works fine with EAP-TTLS (PEAP).  But as you know Windows built in
> supplicant defaults to CHAP. So I'm keen to get that working. I understand
> that freeradius needs to know the password (Cleartext-Password) but I can't
> set that in users file. I don't use ldap or sql modules.

If you have the cleartext password, you can easily set it in the
users file. There is no need to use ldap or sql.

username   Cleartext-Password := 'password'



Matthew Newton, Ph.D. <mcn4 at>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at>

More information about the Freeradius-Users mailing list