Freeradius and 2 Factor Authentication

Arran Cudbard-Bell a.cudbardb at
Thu Jun 2 21:19:31 CEST 2016

> On Jun 2, 2016, at 2:52 PM, Aaron Smith <Aaron.Smith at> wrote:
> Doesn't matter how awesome SecureID is if you don't have the budget for it.  :)

Oh, no, SecureID is awful, Yubikey is awesome.

>  I think the issue stems from an initial misunderstanding (on my part) of authentication in Freeradius.  I was thinking that Freeradius would be able to negotiate MSChapv2 and then give the password that the user supplied to a module or perl script to be authenticated by the OTP server.

Well no. Because MSCHAPv2 doesn't give you the password in cleartext, so you can't pass it off to anything.

>  I was thinking this because if I configure my windows 7 client to create an IKEv2 tunnel using EAP-MSCHAPv2, it will work just fine with Freeradius and a plain old user in the Users file.  I figured "Well, it can see my password to compare it to THAT, so it must HAVe the password".  After further reading, though, I think what it gets after negotiating MSchapv2 is a hashed password, so it snags the password from the users file, hashes THAT and then compares the hashes.  So it has no way of giving the plain text password to anything at all, thus limiting the types of authentication that will work to those that provide plain text passwords to begin with.

Yeah, you need to run EAP-TTLS-PAP instead, which does give you the plaintext password.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <>

More information about the Freeradius-Users mailing list