using external script in virtual server config
the2nd at otpme.org
the2nd at otpme.org
Mon Jan 26 23:13:26 CET 2015
On 2015-01-26 23:00, Alan DeKok wrote:
> On Jan 26, 2015, at 4:54 PM, the2nd at otpme.org wrote:
>> i tried it with the config below but the attribute Tmp-Octets-0 is
>> always "0x". it think thats because the mschap module is disabled.
>
> Well…. then fix that.
>
>> but if i enable it i get no auth request from rlm_python. i guess
>> thats because the mschap module always tries to do authentication, via
>> ntlm_auth or via users file!?
>
> The MSCHAP module does MSCHAP authentication. That’s why it exists.
>
but i guess it does something more than just authentication because i
can pass the mschap challenge and the nt-response to my script when
configuring the mschap module like this:
ntlm_auth = "/usr/local/bin/otpme-auth -l verify_ntlm
'%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}'
'%{%{mschap:Challenge}:-00}' '%{%{mschap:NT-Response}:-00}'
'%{NAS-Identifier}' '%{Client-IP-Address}'"
but from inside the rlm_python module i cannot access this two
attributes.
it would be great to have access to them from within rlm_python....
> If you *don’t* want it to set “Auth-Type = MSCHAP”, then don’t list
> “mschap” in the “authorize” section.
>
>> i also noticed that authData includes a challange/response pair but
>> they are different (longer) from what i get from mschap module when
>> running otpme as ntlm_auth replacement.
>
> No idea...
>
>> the request EAP-Type is set to MS-CHAP-V2. is this an encapsulated
>> mschap request?
>
> Yes.
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list