using external script in virtual server config

the2nd at otpme.org the2nd at otpme.org
Tue Jan 27 00:40:36 CET 2015 

On 2015-01-26 23:24, Alan DeKok wrote:
> On Jan 26, 2015, at 5:13 PM, the2nd at otpme.org wrote:
>>>  The MSCHAP module does MSCHAP authentication.  That’s why it exists.
>> 
>> but i guess it does something more than just authentication
> 
>   Yes.  You need to READ the file raddb/sites-available/default.  Look
> for “mschap”.
> 
>> because i can pass the mschap challenge and the nt-response to my 
>> script when configuring the mschap module like this:
>> 
>> ntlm_auth = "/usr/local/bin/otpme-auth -l verify_ntlm 
>> '%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}' 
>> '%{%{mschap:Challenge}:-00}' '%{%{mschap:NT-Response}:-00}' 
>> '%{NAS-Identifier}' '%{Client-IP-Address}'”
> 
>   Yes, you already said that.
> 
>> but from inside the rlm_python module i cannot access this two 
>> attributes.
> 
>   Yes, you already said that.
> 
>   This is getting annoying.

that was not my intention. i just wanted to be precise....

> 
>> it would be great to have access to them from within rlm_python....
> 
>   I told you what to do to fix it.
> 
>   Are you going to:
> 
> a) ignore my instructions, and keep failing to get it to work?
> 
> b) follow my instructions and fix the problem?

i tried to follow your instructions but it does not work. this may be my 
fault but i dont know whats wrong with my configuration.

you said i should add something like this to my config:

                         update request {
                                 Tmp-Octets-0 := "%{mschap:Challenge}"
                                 Tmp-Octets-1 := "%{mschap:NT-Response}"
                         }

so i've added this to the authenticate section. then the attribute is 
accessible from within rlm_python but it contains just "0x".

after re-reading sites-available/default i tried to add mschap to the 
authorize section. now authData looks like this:

(('EAP-Message', 
'0x020600441a0206003f318c929437cfcc7e34d38695dba333a3480000000000000000293469b08f92cfe6256368b2dfc387040bca8dfb793b7c1400746573747573657231'), 
('FreeRADIUS-Proxied-To', '127.0.0.1'), ('User-Name', '"testuser1"'), 
('State', '0xe5d8e91ee5def3de4aba84c7d7c8b566'), ('NAS-IP-Address', 
'127.0.0.1'), ('Calling-Station-Id', '"02-00-00-00-00-01"'), 
('Framed-MTU', '1400'), ('NAS-Port-Type', 'Wireless-802.11'), 
('Connect-Info', '"CONNECT 11Mbps 802.11b"'), ('EAP-Type', 
'MS-CHAP-V2'), ('MS-CHAP-Challenge', 
'0x4ae7d63d38abad6a5e5cd90fc6e56420'), ('MS-CHAP2-Response', 
'0x06658c929437cfcc7e34d38695dba333a3480000000000000000293469b08f92cfe6256368b2dfc387040bca8dfb793b7c14'), 
('MS-CHAP-User-Name', '"testuser1"'), ('Tmp-Octets-0', 
'0x61656661316130333862306364383438'), ('Tmp-Octets-1', 
'0x323933343639623038663932636665363235363336386232646663333837303430626361386466623739336237633134'))

so there is some data in Tmp-Octets-0 and Tmp-Octets-1 now. but this 
values are longer than whats normally in %{mschap:Challenge} and 
%{mschap:NT-Response}.

the challenge i get from mschap module when called as an ntlm_auth 
replacement is 16 character long. and the response is 48 chars long.

thanks a lot for any hint in the right direction....


> 
>   Alan DeKok.
> 
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list