CHAP, Cleartext-Password and External Script

A.L.M.Buxey at A.L.M.Buxey at
Wed Nov 13 22:10:57 CET 2013


>    If I understand correctly, I switch to LDAP and get rid of the script all
>    together, radius will work with both TTLS/PAP &
>    PEAP/MSCHAP. Is this correct? I believe I have to enable ldap on the inner
>    tunnel.

depends on how your passwords are stoped in the LDAP. read the deployingradius web site

>    Now assuming I stick with the script and support TTLS/PAP only, I wanted
>    to understand how radius distinguishes between two types of requests. I

if you look at debug mode you will see whats going on. depending on the content
of the packet certain modules will do things - eg the mschap module - which will
then activate the MSCHAPv2 stuff for dealing with the challenge response, the
pap module deals with plain text stuff. the ldap module will have got a value
for that PAP module to deal with.

with the type known and the method defined, you could use eg unlang to
fire off the correct external script..if still needed...rather than do those
frankly nasty (and lucky they work) things in the users file


More information about the Freeradius-Users mailing list