CHAP, Cleartext-Password and External Script

Alan DeKok aland at
Wed Nov 13 18:07:10 CET 2013

Prash K wrote:
> I have searched high and low but I could not find answer to my problem.
> It may be a very simple problem for the expert users out here. Basically
> I'm using radius server to perform 802.1x authentication.

  Which should be easy.

> In my set up, I use an external authentication script (written in
> python) which accepts user and password.

  Which won't work

> I have successfully proven this
> set up on eapol_test with EAP-TTLS (PEAP).

  I think you mean TTLS / PAP.  PEAP is very different.

> I perform exec in post-auth
> section of default. Something like this in users:
> Auth-Type = Accept
>         Exec-Program-Wait = "/path/to/  %{User-Name}
> %{User-Password}
> This works fine with EAP-TTLS (PEAP).  But as you know Windows built in
> supplicant defaults to CHAP.

  No.  It defaults to PEAP / MSCHAP.

  PLEASE use the right terminology.  It matters a LOT.

> So I'm keen to get that working. I
> understand that freeradius needs to know the password
> (Cleartext-Password) but I can't set that in users file. I don't use
> ldap or sql modules.

  You will need to use LDAP or SQL.  Sorry.

> I can amend my script to print the password once it has authenticated
> against the external source. But how do I call my script and set the
> Cleartext-Password (using the script output) so that CHAP could be
> performed?

  You can't.  It's impossible.

  Alan DeKok.

More information about the Freeradius-Users mailing list