EAP-PEAP MSCHAPv2 with Python Module

Matthew Newton mcn at freeradius.org
Thu Nov 9 11:34:52 CET 2017


On Wed, 2017-11-08 at 19:55 -0700, Gary Gwin wrote:
> I had not, interesting and thanks for reference. It doesn't look like
> it would work for me as I need to get/manage access and refresh
> tokens and have custom needs.

Well, you can do a lot in unlang, but you know it's there to have a
look now.

> > What information does the rest API give you? Or what are you
> > expecting
> > to send to it to check?
> 
> The API gets dynamic IPs and validates passwords, otp, and NT hashes.

Gives you the NT hash?

> > > 2) How do I get the User-Password?
> > 
> > You can't.
> 
> Understood.
> 
> What I'm really asking is how I can get access from the inner-tunnel
> to the NT hash?

You ask your API to give it to you.

> I don't see it passed in. Just the User-Name and EAP-Message.

The MSCHAP has the Challenge and Response, not the NT hash. That's what
you store in your database.

Or the cleartext password, which you can also use.

So you get the NT hash from your database using your API and put it in
the NT-Password attribute, then call mschap to do the authentication.

-- 
Matthew



More information about the Freeradius-Users mailing list