CHAP, Cleartext-Password and External Script
Alan DeKok
aland at deployingradius.com
Wed Nov 13 18:07:10 CET 2013
Prash K wrote:
> I have searched high and low but I could not find answer to my problem.
> It may be a very simple problem for the expert users out here. Basically
> I'm using radius server to perform 802.1x authentication.
Which should be easy.
> In my set up, I use an external authentication script (written in
> python) which accepts user and password.
Which won't work
> I have successfully proven this
> set up on eapol_test with EAP-TTLS (PEAP).
I think you mean TTLS / PAP. PEAP is very different.
> I perform exec in post-auth
> section of default. Something like this in users:
>
> Auth-Type = Accept
> Exec-Program-Wait = "/path/to/myscript.py %{User-Name}
> %{User-Password}
>
> This works fine with EAP-TTLS (PEAP). But as you know Windows built in
> supplicant defaults to CHAP.
No. It defaults to PEAP / MSCHAP.
PLEASE use the right terminology. It matters a LOT.
> So I'm keen to get that working. I
> understand that freeradius needs to know the password
> (Cleartext-Password) but I can't set that in users file. I don't use
> ldap or sql modules.
You will need to use LDAP or SQL. Sorry.
> I can amend my script to print the password once it has authenticated
> against the external source. But how do I call my script and set the
> Cleartext-Password (using the script output) so that CHAP could be
> performed?
You can't. It's impossible.
Alan DeKok.
More information about the Freeradius-Users
mailing list