CHAP, Cleartext-Password and External Script

P K getpkme at
Wed Nov 13 21:56:20 CET 2013

My apologies. I got the protocols mixed up. But yes you all understood my
question perfectly. I have been able to use TTLS/PAP which is supported by
Windows>=8 out of the box because I can pass user/pass combo to my external
script.For the users < Win 8, I was looking to get PEAP/MSCHAP working but
as you say radius needs either the clear text password or NTLM hash. I have
neither as my python script needs user/pass to validate against the
external source.

If I understand correctly, I switch to LDAP and get rid of the script all
together, radius will work with both TTLS/PAP &
PEAP/MSCHAP. Is this correct? I believe I have to enable ldap on the inner

Now assuming I stick with the script and support TTLS/PAP only, I wanted to
understand how radius distinguishes between two types of requests. I did
not mention it earlier but I have another script that does MOTP in the same
radius server. At the moment I use realms to distinguish between the two
but I'm pretty sure there is an elegant way to let radius work it out
itself. My users file contains something like this

DEFAULT    Suffix == "@8021x", Auth-Type = Accept
         Exec-Program-Wait = "/path/to/
%{Stripped-User-Name} %{User-Password}

DEFAULT    Suffix == "@motp", Auth-Type = Accept
         Exec-Program-Wait = "/path/to/
%{Stripped-User-Name} %{User-Password}

I have defined these two realms in proxy.conf.

Many Thanks.

On 13 November 2013 17:07, Alan DeKok <aland at> wrote:

> Prash K wrote:
> > I have searched high and low but I could not find answer to my problem.
> > It may be a very simple problem for the expert users out here. Basically
> > I'm using radius server to perform 802.1x authentication.
>   Which should be easy.
> > In my set up, I use an external authentication script (written in
> > python) which accepts user and password.
>   Which won't work
> > I have successfully proven this
> > set up on eapol_test with EAP-TTLS (PEAP).
>   I think you mean TTLS / PAP.  PEAP is very different.
> > I perform exec in post-auth
> > section of default. Something like this in users:
> >
> > Auth-Type = Accept
> >         Exec-Program-Wait = "/path/to/  %{User-Name}
> > %{User-Password}
> >
> > This works fine with EAP-TTLS (PEAP).  But as you know Windows built in
> > supplicant defaults to CHAP.
>   No.  It defaults to PEAP / MSCHAP.
>   PLEASE use the right terminology.  It matters a LOT.
> > So I'm keen to get that working. I
> > understand that freeradius needs to know the password
> > (Cleartext-Password) but I can't set that in users file. I don't use
> > ldap or sql modules.
>   You will need to use LDAP or SQL.  Sorry.
> > I can amend my script to print the password once it has authenticated
> > against the external source. But how do I call my script and set the
> > Cleartext-Password (using the script output) so that CHAP could be
> > performed?
>   You can't.  It's impossible.
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list