using external script in virtual server config

the2nd at the2nd at
Tue Jan 27 09:56:23 CET 2015

On 2015-01-27 01:51, Alan DeKok wrote:
> On Jan 26, 2015, at 6:40 PM, the2nd at wrote:
>> that was not my intention. i just wanted to be precise….
>   It’s rude.  Repeating something over and over is suggesting that the
> reader is an idiot who can’t remember anything.

i'm sorry about that. i never wanted to annoy you or anything like this.
>> i tried to follow your instructions but it does not work. this may be 
>> my fault but i dont know whats wrong with my configuration.
>   There is documentation.  You’ve already shown you’re not reading it..

i do read the documentation. but i was not able to get this special 
thing going yet. that's why i ask for help.

btw. rlm_python examples do not show how to handle mschap requests. it 
would be of much help to have an example.
>> you said i should add something like this to my config:
>>                        update request {
>>                                Tmp-Octets-0 := "%{mschap:Challenge}"
>>                                Tmp-Octets-1 := "%{mschap:NT-Response}"
>>                        }
>> so i've added this to the authenticate section. then the attribute is 
>> accessible from within rlm_python but it contains just "0x”.
>    Well...
>> after re-reading sites-available/default i tried to add mschap to the 
>> authorize section. now authData looks like this:
>   I don’t care about “authData”.
>   You’re asking *me* to figure out what some magical format you
> invented.  At the same time, you’re refusing to give information in
> the *standard* FreeRADIUS format.

the output of authData i send in my last mail is just what i receive 
from rlm_python. there is nothing i have invented. its just a "log 
authData" from within the authenticate() function

def authenticate(authData):
     """ authentication """
     log(radiusd.L_INFO, str(authData))

>   That’s annoying and rude.
>   The server has a debug output for a reason.  If you refuse to use
> it, then stop posting questions here.

i do use the output of radiusd -X but i have not posted it because it 
contains some sensitive information and you also never asked for it. if 
you need it i'll get a complete debug output for one request, remove all 
sensitive information and send it to you.

but maybe this part is enough?

[mschapv2] +group MS-CHAP {
[mschapv2] ++update request {
[mschapv2] Creating challenge hash with username: testuser1
[mschapv2]      expand: %{mschap:Challenge} -> a036060bdd7bb1ac
[mschapv2]      expand: %{mschap:NT-Response} -> 
[mschapv2] ++} # update request = noop

for me it looks like the update request statement does not work. but 
there is no information why.

>> so there is some data in Tmp-Octets-0 and Tmp-Octets-1 now. but this 
>> values are longer than whats normally in %{mschap:Challenge} and 
>> %{mschap:NT-Response}.
>   It’s easy to figure out what the problem is.

for me its not that easy. so it would be great to get the solution, if 
you already know it.

and as soon as i get it working i'd like to extend the example module 
(if needed) and write down how to handle mschap requests using 
rlm_python. maybe i should add this to the freeradius wiki?

>> the challenge i get from mschap module when called as an ntlm_auth 
>> replacement is 16 character long. and the response is 48 chars long.
>> thanks a lot for any hint in the right direction….
>   I’ve given you hints.  I’ve given you direct instructions.  So far
> that hasn’t helped much.
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See 

More information about the Freeradius-Users mailing list