CHAP, Cleartext-Password and External Script
Alan DeKok
aland at deployingradius.com
Wed Nov 13 22:46:17 CET 2013
P K wrote:
> My apologies. I got the protocols mixed up. But yes you all understood
> my question perfectly. I have been able to use TTLS/PAP which is
> supported by Windows>=8 out of the box because I can pass user/pass
> combo to my external script.For the users < Win 8, I was looking to get
> PEAP/MSCHAP working but as you say radius needs either the clear text
> password or NTLM hash. I have neither as my python script needs
> user/pass to validate against the external source.
As I said, it's *impossible*.
> If I understand correctly, I switch to LDAP and get rid of the script
> all together, radius will work with both TTLS/PAP &
> PEAP/MSCHAP. Is this correct? I believe I have to enable ldap on the
> inner tunnel.
It will work if LDAP supplies the clear-text password or the NT hash
to FreeRADIUS. Otherwise, it's impossible.
> Now assuming I stick with the script and support TTLS/PAP only, I wanted
> to understand how radius distinguishes between two types of requests.
Read the debug output. The EAP supplicant *tells* the server it's
using TTLS or PEAP.
> I
> did not mention it earlier but I have another script that does MOTP in
> the same radius server. At the moment I use realms to distinguish
> between the two but I'm pretty sure there is an elegant way to let
> radius work it out itself.
As always, read the debug output. If you can tell the difference
between the two requests, then you can write a rule to distinguish
between the two requests.
Alan DeKok.
More information about the Freeradius-Users
mailing list