EAP-PEAP MSCHAPv2 with Python Module
Gary Gwin
garygwin at gmail.com
Thu Nov 9 03:55:32 CET 2017
Thanks for the fast response.
>> Instead of using the FreeRADIUS users file for authentication, I want
>> to use a custom Python module in the inner-tunnel (I presume) to
>> authenticate the user with a REST API.
>
> Have you looked at rlm_rest? It might be a better solution.
I had not, interesting and thanks for reference. It doesn't look like
it would work for me as I need to get/manage access and refresh tokens
and have custom needs.
> What information does the rest API give you? Or what are you expecting
> to send to it to check?
The API gets dynamic IPs and validates passwords, otp, and NT hashes.
>> 1) How do I know in the Python module when to get in the middle of
>> the multi-step eap authentication without causing problems?
>
> I don't understand what this means.
>
> If you call rlm_python in the the authenticate section of the inner-
> tunnel, then it'll be at the right time to do the authentication.
You understood ;-) Read that I should be careful not to shortcircuit
the EAP negotiations.
>> 2) How do I get the User-Password?
>
> You can't.
Understood.
What I'm really asking is how I can get access from the inner-tunnel
to the NT hash?
I don't see it passed in. Just the User-Name and EAP-Message.
If it is encrypted in the EAP-Message payload, how do I decrypt?
Thanks,
Gary
More information about the Freeradius-Users
mailing list