using external script in virtual server config

the2nd at the2nd at
Tue Jan 27 00:40:36 CET 2015

On 2015-01-26 23:24, Alan DeKok wrote:
> On Jan 26, 2015, at 5:13 PM, the2nd at wrote:
>>>  The MSCHAP module does MSCHAP authentication.  That’s why it exists.
>> but i guess it does something more than just authentication
>   Yes.  You need to READ the file raddb/sites-available/default.  Look
> for “mschap”.
>> because i can pass the mschap challenge and the nt-response to my 
>> script when configuring the mschap module like this:
>> ntlm_auth = "/usr/local/bin/otpme-auth -l verify_ntlm 
>> '%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}' 
>> '%{%{mschap:Challenge}:-00}' '%{%{mschap:NT-Response}:-00}' 
>> '%{NAS-Identifier}' '%{Client-IP-Address}'”
>   Yes, you already said that.
>> but from inside the rlm_python module i cannot access this two 
>> attributes.
>   Yes, you already said that.
>   This is getting annoying.

that was not my intention. i just wanted to be precise....

>> it would be great to have access to them from within rlm_python....
>   I told you what to do to fix it.
>   Are you going to:
> a) ignore my instructions, and keep failing to get it to work?
> b) follow my instructions and fix the problem?

i tried to follow your instructions but it does not work. this may be my 
fault but i dont know whats wrong with my configuration.

you said i should add something like this to my config:

                         update request {
                                 Tmp-Octets-0 := "%{mschap:Challenge}"
                                 Tmp-Octets-1 := "%{mschap:NT-Response}"

so i've added this to the authenticate section. then the attribute is 
accessible from within rlm_python but it contains just "0x".

after re-reading sites-available/default i tried to add mschap to the 
authorize section. now authData looks like this:

('FreeRADIUS-Proxied-To', ''), ('User-Name', '"testuser1"'), 
('State', '0xe5d8e91ee5def3de4aba84c7d7c8b566'), ('NAS-IP-Address', 
''), ('Calling-Station-Id', '"02-00-00-00-00-01"'), 
('Framed-MTU', '1400'), ('NAS-Port-Type', 'Wireless-802.11'), 
('Connect-Info', '"CONNECT 11Mbps 802.11b"'), ('EAP-Type', 
'MS-CHAP-V2'), ('MS-CHAP-Challenge', 
'0x4ae7d63d38abad6a5e5cd90fc6e56420'), ('MS-CHAP2-Response', 
('MS-CHAP-User-Name', '"testuser1"'), ('Tmp-Octets-0', 
'0x61656661316130333862306364383438'), ('Tmp-Octets-1', 

so there is some data in Tmp-Octets-0 and Tmp-Octets-1 now. but this 
values are longer than whats normally in %{mschap:Challenge} and 

the challenge i get from mschap module when called as an ntlm_auth 
replacement is 16 character long. and the response is 48 chars long.

thanks a lot for any hint in the right direction....

>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See 

More information about the Freeradius-Users mailing list