EAP-PEAP MSCHAPv2 with Python Module
Matthew Newton
mcn at freeradius.org
Thu Nov 9 01:12:06 CET 2017
On Wed, 2017-11-08 at 16:53 -0700, Gary Gwin wrote:
> I've configured and tested the EAP-PEAP MSCHAPv2 basic example as
> documented with FreeRADIUS 3.0.12 using a Windows 10 supplicant
> configured for WPA2 Enterprise.
OK...
> Instead of using the FreeRADIUS users file for authentication, I want
> to use a custom Python module in the inner-tunnel (I presume) to
> authenticate the user with a REST API.
Have you looked at rlm_rest? It might be a better solution.
What information does the rest API give you? Or what are you expecting
to send to it to check?
> 1) How do I know in the Python module when to get in the middle of
> the
> multi-step eap authentication without causing problems?
I don't understand what this means.
If you call rlm_python in the the authenticate section of the inner-
tunnel, then it'll be at the right time to do the authentication.
> 2) How do I get the User-Password?
You can't.
> I've seen posts that suggest the User-Password might be sent
> encrypted in the EAP-Message. If that's the case:
>
> 3) How do I know how to decrypt the EAP-Message?
You can't get the plain text password from the EAP-Message.
> 4) Anything else I need to know?
You need the password in plaintext on the RADIUS server, or the NT hash
of it.
Nothing else will be able to authenticate MSCHAP requests.
See http://deployingradius.com/documents/protocols/compatibility.html
--
Matthew
More information about the Freeradius-Users
mailing list