CHAP, Cleartext-Password and External Script

Alan DeKok aland at
Wed Nov 13 22:46:17 CET 2013

P K wrote:
> My apologies. I got the protocols mixed up. But yes you all understood
> my question perfectly. I have been able to use TTLS/PAP which is
> supported by Windows>=8 out of the box because I can pass user/pass
> combo to my external script.For the users < Win 8, I was looking to get
> PEAP/MSCHAP working but as you say radius needs either the clear text
> password or NTLM hash. I have neither as my python script needs
> user/pass to validate against the external source.

  As I said, it's *impossible*.

> If I understand correctly, I switch to LDAP and get rid of the script
> all together, radius will work with both TTLS/PAP &
> PEAP/MSCHAP. Is this correct? I believe I have to enable ldap on the
> inner tunnel.

  It will work if LDAP supplies the clear-text password or the NT hash
to FreeRADIUS.  Otherwise, it's impossible.

> Now assuming I stick with the script and support TTLS/PAP only, I wanted
> to understand how radius distinguishes between two types of requests.

  Read the debug output.  The EAP supplicant *tells* the server it's
using TTLS or PEAP.

> I
> did not mention it earlier but I have another script that does MOTP in
> the same radius server. At the moment I use realms to distinguish
> between the two but I'm pretty sure there is an elegant way to let
> radius work it out itself.

  As always, read the debug output.  If you can tell the difference
between the two requests, then you can write a rule to distinguish
between the two requests.

  Alan DeKok.

More information about the Freeradius-Users mailing list