EAP-PEAP MSCHAPv2 with Python Module

Gary Gwin garygwin at gmail.com
Thu Nov 9 03:55:32 CET 2017


Thanks for the fast response.

>> Instead of using the FreeRADIUS users file for authentication, I want
>> to use a custom Python module in the inner-tunnel (I presume) to
>> authenticate the user with a REST API.
>
> Have you looked at rlm_rest? It might be a better solution.

I had not, interesting and thanks for reference. It doesn't look like
it would work for me as I need to get/manage access and refresh tokens
and have custom needs.

> What information does the rest API give you? Or what are you expecting
> to send to it to check?

The API gets dynamic IPs and validates passwords, otp, and NT hashes.

>> 1) How do I know in the Python module when to get in the middle of
>> the multi-step eap authentication without causing problems?
>
> I don't understand what this means.
>
> If you call rlm_python in the the authenticate section of the inner-
> tunnel, then it'll be at the right time to do the authentication.

You understood ;-) Read that I should be careful not to shortcircuit
the EAP negotiations.

>> 2) How do I get the User-Password?
>
> You can't.

Understood.

What I'm really asking is how I can get access from the inner-tunnel
to the NT hash?

I don't see it passed in. Just the User-Name and EAP-Message.

If it is encrypted in the EAP-Message payload, how do I decrypt?

Thanks,

Gary


More information about the Freeradius-Users mailing list